how to drop administrator privileges?

how to drop administrator privileges?

[Achim Gratz]

I've recently had a test fail because I started it with administrator
privileges (via the Administrator group).  The test tried to write to a
file that it set read-only before and of course as an administrator it
was still able to write to it.  So the test fail wasn't really that
important, but I can't seem to find a way to drop administrator
privileges once I have a shell opened with "run as administrator".  Is
there a command that will shed those rights for a sub-shell?


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: how to drop administrator privileges?

[Charles Wilson]

On 4/26/2012 4:33 PM, Achim Gratz wrote:
> 
> I've recently had a test fail because I started it with administrator
> privileges (via the Administrator group).  The test tried to write to a
> file that it set read-only before and of course as an administrator it
> was still able to write to it.  So the test fail wasn't really that
> important, but I can't seem to find a way to drop administrator
> privileges once I have a shell opened with "run as administrator".  Is
> there a command that will shed those rights for a sub-shell?

The "cygdrop.exe" utility is part of the cygutils package.

--
Chuck

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: how to drop administrator privileges?

[Achim Gratz]

Charles Wilson writes:
> The "cygdrop.exe" utility is part of the cygutils package.

Thank you.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf rackAttack V1.04R1:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: how to drop administrator privileges?

[Achim Gratz]

> Charles Wilson writes:
> > The "cygdrop.exe" utility is part of the cygutils package.

(1001)~ # cygdrop -v ls
GetTokenInformation: error 122
(1002)~ # cygdrop ls
GetTokenInformation: error 122
(1003)~ # cygdrop
Usage: cygdrop [OPTIONS] COMMAND [ARG ...]

Group options
  -l        Disable local administrator group [default]
[...]

Any ideas how to not get an "error 122"?


Regards,
Achim.



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: how to drop administrator privileges?

[Corinna Vinschen]

On Apr 27 07:33, Achim Gratz wrote:
> > Charles Wilson writes:
> > > The "cygdrop.exe" utility is part of the cygutils package.
> 
> (1001)~ # cygdrop -v ls
> GetTokenInformation: error 122
> (1002)~ # cygdrop ls
> GetTokenInformation: error 122
> (1003)~ # cygdrop
> Usage: cygdrop [OPTIONS] COMMAND [ARG ...]
> 
> Group options
>   -l        Disable local administrator group [default]
> [...]

Just removing the admin group membership won't do in your scenario.  The
SE_BACKUP_NAME and SE_RESTORE_NAME privileges will still be in the
restricted token, so the process will still have permissions to do
(almost) everything with files.  What you probably want is

  cygdrop -l -p SeBackupPrivilege -p SeRestorePrivilege <command>

> Any ideas how to not get an "error 122"?

Fixing cygdrop.

  $ net helpmsg 122
  The data area passed to a system call is too small.

A quick look into the sources shows that the maximum buffer size for
the group list returned by GetTokenInformation is wrongly computed:

  max_groups = 100;
  char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)];

The SID_AND_ATTRIBUTES structure only contains a pointer to the SID, so
what's missing is actual space for the SIDs.

But it would be better to leave that to the OS anyway:

--- origsrc/cygutils-1.4.10/src/cygdrop/cygdrop.cc	2011-04-29 05:40:49.000000000 +0200
+++ src/cygutils-1.4.10/src/cygdrop/cygdrop.cc	2012-04-27 10:14:00.444641764 +0200
@@ -317,9 +317,13 @@ main (int argc, char **argv)
     return winerror("OpenProcessToken");
 
   // Get groups.
-  char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)];
-  TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf;
   DWORD size = 0;
+  if (!GetTokenInformation (proc_token, TokenGroups, NULL, 0, &size)
+      && GetLastError () != ERROR_INSUFFICIENT_BUFFER)
+    return winerror ("GetTokenInformation");
+
+  char groups_buf[size];
+  TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf;
   if (!GetTokenInformation (proc_token, TokenGroups, groups, sizeof(groups_buf), &size))
     return winerror ("GetTokenInformation");
 

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: how to drop administrator privileges?

[Charles Wilson]

On 4/27/2012 4:20 AM, Corinna Vinschen wrote:
> Fixing cygdrop.

Thanks for the patch; I'm pretty busy this weekend but I'll try to roll
out a new cygutils release Monday or so.

If anybody wants to investigate the following over the weekend:

TODO (call for patches):
================================
* Update (some?) utilities to handle unicode filenames, similar to
  IWAMURO Motonori's work on cygstart. Which utilities need this?
  mkshortcut and readshortcut probably. Any others?

* unicode support in putclip/getclip (aside from the suggestion to
  just replace them with shell scripts that use >/dev/clipboard and
  </dev/clipboard, which wouldn't be callable outside a cygwin shell)

I'd be grateful...

--
Chuck


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: how to drop administrator privileges?

[Christian Franke]

Corinna Vinschen wrote:
> Fixing cygdrop.
>
>    $ net helpmsg 122
>    The data area passed to a system call is too small.
>
> A quick look into the sources shows that the maximum buffer size for
> the group list returned by GetTokenInformation is wrongly computed:
>
>    max_groups = 100;
>    char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)];
>
> The SID_AND_ATTRIBUTES structure only contains a pointer to the SID, so
> what's missing is actual space for the SIDs.

Oops.

> But it would be better to leave that to the OS anyway:

Thanks for the patch. Works as expected.

Christian


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: how to drop administrator privileges?

[Achim Gratz]

Charles Wilson <cygwin <at> cwilson.fastmail.fm> writes:
> On 4/27/2012 4:20 AM, Corinna Vinschen wrote:
> > Fixing cygdrop.
> 
> Thanks for the patch; I'm pretty busy this weekend but I'll try to roll
> out a new cygutils release Monday or so.

Sorry for this blast from the past, but cygutils have been updated a few
times and I still get the same error... has the patch not been applied or is
there something else that needs fixing?


Regards,
Achim.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: how to drop administrator privileges?

[Charles Wilson]

On 5/29/2013 8:18 AM, Achim Gratz wrote:
> Sorry for this blast from the past, but cygutils have been updated a few
> times and I still get the same error... has the patch not been applied or is
> there something else that needs fixing?

No, thanks for the reminder. I completely dropped the ball on this one. 
The patch is now in CVS so it will be in the next release, which should 
be soon.

--
Chuck



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple