* how to drop administrator privileges?
@ 2012-04-26 20:34 Achim Gratz
2012-04-26 21:33 ` Charles Wilson
0 siblings, 1 reply; 9+ messages in thread
From: Achim Gratz @ 2012-04-26 20:34 UTC (permalink / raw)
To: cygwin
I've recently had a test fail because I started it with administrator
privileges (via the Administrator group). The test tried to write to a
file that it set read-only before and of course as an administrator it
was still able to write to it. So the test fail wasn't really that
important, but I can't seem to find a way to drop administrator
privileges once I have a shell opened with "run as administrator". Is
there a command that will shed those rights for a sub-shell?
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
Factory and User Sound Singles for Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges?
2012-04-26 20:34 how to drop administrator privileges? Achim Gratz
@ 2012-04-26 21:33 ` Charles Wilson
2012-04-27 5:50 ` Achim Gratz
0 siblings, 1 reply; 9+ messages in thread
From: Charles Wilson @ 2012-04-26 21:33 UTC (permalink / raw)
To: cygwin
On 4/26/2012 4:33 PM, Achim Gratz wrote:
>
> I've recently had a test fail because I started it with administrator
> privileges (via the Administrator group). The test tried to write to a
> file that it set read-only before and of course as an administrator it
> was still able to write to it. So the test fail wasn't really that
> important, but I can't seem to find a way to drop administrator
> privileges once I have a shell opened with "run as administrator". Is
> there a command that will shed those rights for a sub-shell?
The "cygdrop.exe" utility is part of the cygutils package.
--
Chuck
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges?
2012-04-26 21:33 ` Charles Wilson
@ 2012-04-27 5:50 ` Achim Gratz
2012-04-27 7:35 ` Achim Gratz
0 siblings, 1 reply; 9+ messages in thread
From: Achim Gratz @ 2012-04-27 5:50 UTC (permalink / raw)
To: cygwin
Charles Wilson writes:
> The "cygdrop.exe" utility is part of the cygutils package.
Thank you.
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
SD adaptation for Waldorf rackAttack V1.04R1:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges?
2012-04-27 5:50 ` Achim Gratz
@ 2012-04-27 7:35 ` Achim Gratz
2012-04-27 8:20 ` Corinna Vinschen
0 siblings, 1 reply; 9+ messages in thread
From: Achim Gratz @ 2012-04-27 7:35 UTC (permalink / raw)
To: cygwin
> Charles Wilson writes:
> > The "cygdrop.exe" utility is part of the cygutils package.
(1001)~ # cygdrop -v ls
GetTokenInformation: error 122
(1002)~ # cygdrop ls
GetTokenInformation: error 122
(1003)~ # cygdrop
Usage: cygdrop [OPTIONS] COMMAND [ARG ...]
Group options
-l Disable local administrator group [default]
[...]
Any ideas how to not get an "error 122"?
Regards,
Achim.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges?
2012-04-27 7:35 ` Achim Gratz
@ 2012-04-27 8:20 ` Corinna Vinschen
2012-04-27 14:43 ` Charles Wilson
2012-04-30 16:40 ` Christian Franke
0 siblings, 2 replies; 9+ messages in thread
From: Corinna Vinschen @ 2012-04-27 8:20 UTC (permalink / raw)
To: cygwin
On Apr 27 07:33, Achim Gratz wrote:
> > Charles Wilson writes:
> > > The "cygdrop.exe" utility is part of the cygutils package.
>
> (1001)~ # cygdrop -v ls
> GetTokenInformation: error 122
> (1002)~ # cygdrop ls
> GetTokenInformation: error 122
> (1003)~ # cygdrop
> Usage: cygdrop [OPTIONS] COMMAND [ARG ...]
>
> Group options
> -l Disable local administrator group [default]
> [...]
Just removing the admin group membership won't do in your scenario. The
SE_BACKUP_NAME and SE_RESTORE_NAME privileges will still be in the
restricted token, so the process will still have permissions to do
(almost) everything with files. What you probably want is
cygdrop -l -p SeBackupPrivilege -p SeRestorePrivilege <command>
> Any ideas how to not get an "error 122"?
Fixing cygdrop.
$ net helpmsg 122
The data area passed to a system call is too small.
A quick look into the sources shows that the maximum buffer size for
the group list returned by GetTokenInformation is wrongly computed:
max_groups = 100;
char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)];
The SID_AND_ATTRIBUTES structure only contains a pointer to the SID, so
what's missing is actual space for the SIDs.
But it would be better to leave that to the OS anyway:
--- origsrc/cygutils-1.4.10/src/cygdrop/cygdrop.cc 2011-04-29 05:40:49.000000000 +0200
+++ src/cygutils-1.4.10/src/cygdrop/cygdrop.cc 2012-04-27 10:14:00.444641764 +0200
@@ -317,9 +317,13 @@ main (int argc, char **argv)
return winerror("OpenProcessToken");
// Get groups.
- char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)];
- TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf;
DWORD size = 0;
+ if (!GetTokenInformation (proc_token, TokenGroups, NULL, 0, &size)
+ && GetLastError () != ERROR_INSUFFICIENT_BUFFER)
+ return winerror ("GetTokenInformation");
+
+ char groups_buf[size];
+ TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf;
if (!GetTokenInformation (proc_token, TokenGroups, groups, sizeof(groups_buf), &size))
return winerror ("GetTokenInformation");
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges?
2012-04-27 8:20 ` Corinna Vinschen
@ 2012-04-27 14:43 ` Charles Wilson
2013-05-29 12:35 ` Achim Gratz
2012-04-30 16:40 ` Christian Franke
1 sibling, 1 reply; 9+ messages in thread
From: Charles Wilson @ 2012-04-27 14:43 UTC (permalink / raw)
To: cygwin
On 4/27/2012 4:20 AM, Corinna Vinschen wrote:
> Fixing cygdrop.
Thanks for the patch; I'm pretty busy this weekend but I'll try to roll
out a new cygutils release Monday or so.
If anybody wants to investigate the following over the weekend:
TODO (call for patches):
================================
* Update (some?) utilities to handle unicode filenames, similar to
IWAMURO Motonori's work on cygstart. Which utilities need this?
mkshortcut and readshortcut probably. Any others?
* unicode support in putclip/getclip (aside from the suggestion to
just replace them with shell scripts that use >/dev/clipboard and
</dev/clipboard, which wouldn't be callable outside a cygwin shell)
I'd be grateful...
--
Chuck
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges?
2012-04-27 8:20 ` Corinna Vinschen
2012-04-27 14:43 ` Charles Wilson
@ 2012-04-30 16:40 ` Christian Franke
1 sibling, 0 replies; 9+ messages in thread
From: Christian Franke @ 2012-04-30 16:40 UTC (permalink / raw)
To: cygwin
Corinna Vinschen wrote:
> Fixing cygdrop.
>
> $ net helpmsg 122
> The data area passed to a system call is too small.
>
> A quick look into the sources shows that the maximum buffer size for
> the group list returned by GetTokenInformation is wrongly computed:
>
> max_groups = 100;
> char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)];
>
> The SID_AND_ATTRIBUTES structure only contains a pointer to the SID, so
> what's missing is actual space for the SIDs.
Oops.
> But it would be better to leave that to the OS anyway:
Thanks for the patch. Works as expected.
Christian
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges?
2012-04-27 14:43 ` Charles Wilson
@ 2013-05-29 12:35 ` Achim Gratz
2013-05-31 2:51 ` Charles Wilson
0 siblings, 1 reply; 9+ messages in thread
From: Achim Gratz @ 2013-05-29 12:35 UTC (permalink / raw)
To: cygwin
Charles Wilson <cygwin <at> cwilson.fastmail.fm> writes:
> On 4/27/2012 4:20 AM, Corinna Vinschen wrote:
> > Fixing cygdrop.
>
> Thanks for the patch; I'm pretty busy this weekend but I'll try to roll
> out a new cygutils release Monday or so.
Sorry for this blast from the past, but cygutils have been updated a few
times and I still get the same error... has the patch not been applied or is
there something else that needs fixing?
Regards,
Achim.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges?
2013-05-29 12:35 ` Achim Gratz
@ 2013-05-31 2:51 ` Charles Wilson
0 siblings, 0 replies; 9+ messages in thread
From: Charles Wilson @ 2013-05-31 2:51 UTC (permalink / raw)
To: cygwin
On 5/29/2013 8:18 AM, Achim Gratz wrote:
> Sorry for this blast from the past, but cygutils have been updated a few
> times and I still get the same error... has the patch not been applied or is
> there something else that needs fixing?
No, thanks for the reminder. I completely dropped the ball on this one.
The patch is now in CVS so it will be in the next release, which should
be soon.
--
Chuck
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-05-31 1:58 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-04-26 20:34 how to drop administrator privileges? Achim Gratz
2012-04-26 21:33 ` Charles Wilson
2012-04-27 5:50 ` Achim Gratz
2012-04-27 7:35 ` Achim Gratz
2012-04-27 8:20 ` Corinna Vinschen
2012-04-27 14:43 ` Charles Wilson
2013-05-29 12:35 ` Achim Gratz
2013-05-31 2:51 ` Charles Wilson
2012-04-30 16:40 ` Christian Franke
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).