From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26725 invoked by alias); 13 Nov 2008 23:48:54 -0000 Received: (qmail 26302 invoked by uid 22791); 13 Nov 2008 23:48:51 -0000 X-Spam-Check-By: sourceware.org Received: from maeder.org (HELO maeder.org) (192.220.73.146) by sourceware.org (qpsmtpd/0.31) with ESMTP; Thu, 13 Nov 2008 23:48:06 +0000 Received: (qmail 8155 invoked by uid 18834); 13 Nov 2008 23:48:03 -0000 Received: from unknown (HELO maeder.org) ([127.0.0.1]) (envelope-sender ) by 127.0.0.1 (qmail-ldap-1.03) with SMTP for ; 13 Nov 2008 23:48:03 -0000 To: cygwin@cygwin.com From: Herb Maeder In-reply-to: Corinna Vinschen 's message of Thu, 13 Nov 2008 14:57:20 +0100. Subject: Re: sshd on vista error "initgroups: Permission denied" (cygwin-1.7) Date: Fri, 14 Nov 2008 07:31:00 -0000 Message-ID: <8140.1226620083@maeder.org> X-IsSubscribed: yes Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2008-11/txt/msg00191.txt.bz2 On 13 Nov 2008 14:57:20 +0100, Corinna Vinschen wrote: > On Nov 13 11:35, Corinna Vinschen wrote: > > On Nov 12 16:57, Herb Maeder wrote: > > > Bum deal. But thanks for the explanation. That clarifies what I was > > > seeing. > > > > Actually there is a way to elevate a console application which is the > > manifest file. Unfortunately this only works for executables, not for > > scripts. > > > > I didn't try it myself, but maybe something like this works: > > > > $ cd /bin > > $ cp bash.exe bash-elevated.exe > > $ sed 's/nstall\.exe/bash-elevated.exe/g' < install.exe > bash-elevated.e xe.manifest > > $ sed '1s/bash/bash-elevated/' < ssh-host-config > ssh-host-config-elevat ed > > $ ssh-host-config-elevated > > > > Sometimes adding a manifest file to an executable doesn't work immediately > > due to some cashing in Windows but basically this should work. > > On second thought, this can't work. The manifest file starts the > application with an execution level of "asInvoker" which means *not* > elevated. Even if you change this to elevated (I don't know the right > level string for this off hand), the problem that you won't get an > elevation prompt when a process gets started through CreateProcess > remains the same. Too bad. The mainfests work in one direction, but > they don't in the other. Baeh. Yeah, I think that corresponds to what I found... there's no way to elevate a command without somehow firing off another application like a separate cmd window. Along similar lines, I tried to "cp /bin/bash.exe /bin/bash-elev.exe", then set bash-elev to run as adminstrator, with Right Click -> Properties -> Compatibility then check the "Run this program as an administrator" box. There was no love when invoking bash-elev.exe directly from a bash command line, but invoking it via a cmd shell did the trick. The best I was able to do was to create an "elev.sh" script like this: #!/bin/bash eval 'cmd /c bash-elev -c '\'${1+"$@"}\''' I know that the quoting is not quite right to deal with all possible arguments correctly, but it should be good enough to fire off some generic elevated commands. For example: elev.sh /bin/ssh-host-config -y or even something like this will work: elev.sh "/bin/bash somescript.sh \"a b\" c > out; sleep 4" If elev.sh is called from an already elevated bash shell (run with "Run as administrator"), then there will be no UAC prompt and the output will appear normally in the shell. But if the invoking shell is not elevated, then it will display the UAC prompt, and fire off a separate cmd shell window. The bummer is that for normal commands, any output will be displayed in the new cmd window, which will exit immediately (i.e. user won't see the output). Though it is possible to redirect the output to a file. Still, even with these drawbacks, something like this might be useful for us in ssh-host-config. If the invoking shell is already elevated, things will pretty much work the way they do now. But if it is invoked from a normal shell, the user would get prompted to elevate, and then the ssh-host-config queries and input would happen in a different cmd window. Not great, but still better than just exiting with an error (or, worse, trying to continue with insufficient privileges). Herb. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/