* how to drop administrator privileges? @ 2012-04-26 20:34 Achim Gratz 2012-04-26 21:33 ` Charles Wilson 0 siblings, 1 reply; 9+ messages in thread From: Achim Gratz @ 2012-04-26 20:34 UTC (permalink / raw) To: cygwin I've recently had a test fail because I started it with administrator privileges (via the Administrator group). The test tried to write to a file that it set read-only before and of course as an administrator it was still able to write to it. So the test fail wasn't really that important, but I can't seem to find a way to drop administrator privileges once I have a shell opened with "run as administrator". Is there a command that will shed those rights for a sub-shell? Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges? 2012-04-26 20:34 how to drop administrator privileges? Achim Gratz @ 2012-04-26 21:33 ` Charles Wilson 2012-04-27 5:50 ` Achim Gratz 0 siblings, 1 reply; 9+ messages in thread From: Charles Wilson @ 2012-04-26 21:33 UTC (permalink / raw) To: cygwin On 4/26/2012 4:33 PM, Achim Gratz wrote: > > I've recently had a test fail because I started it with administrator > privileges (via the Administrator group). The test tried to write to a > file that it set read-only before and of course as an administrator it > was still able to write to it. So the test fail wasn't really that > important, but I can't seem to find a way to drop administrator > privileges once I have a shell opened with "run as administrator". Is > there a command that will shed those rights for a sub-shell? The "cygdrop.exe" utility is part of the cygutils package. -- Chuck -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges? 2012-04-26 21:33 ` Charles Wilson @ 2012-04-27 5:50 ` Achim Gratz 2012-04-27 7:35 ` Achim Gratz 0 siblings, 1 reply; 9+ messages in thread From: Achim Gratz @ 2012-04-27 5:50 UTC (permalink / raw) To: cygwin Charles Wilson writes: > The "cygdrop.exe" utility is part of the cygutils package. Thank you. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf rackAttack V1.04R1: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges? 2012-04-27 5:50 ` Achim Gratz @ 2012-04-27 7:35 ` Achim Gratz 2012-04-27 8:20 ` Corinna Vinschen 0 siblings, 1 reply; 9+ messages in thread From: Achim Gratz @ 2012-04-27 7:35 UTC (permalink / raw) To: cygwin > Charles Wilson writes: > > The "cygdrop.exe" utility is part of the cygutils package. (1001)~ # cygdrop -v ls GetTokenInformation: error 122 (1002)~ # cygdrop ls GetTokenInformation: error 122 (1003)~ # cygdrop Usage: cygdrop [OPTIONS] COMMAND [ARG ...] Group options -l Disable local administrator group [default] [...] Any ideas how to not get an "error 122"? Regards, Achim. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges? 2012-04-27 7:35 ` Achim Gratz @ 2012-04-27 8:20 ` Corinna Vinschen 2012-04-27 14:43 ` Charles Wilson 2012-04-30 16:40 ` Christian Franke 0 siblings, 2 replies; 9+ messages in thread From: Corinna Vinschen @ 2012-04-27 8:20 UTC (permalink / raw) To: cygwin On Apr 27 07:33, Achim Gratz wrote: > > Charles Wilson writes: > > > The "cygdrop.exe" utility is part of the cygutils package. > > (1001)~ # cygdrop -v ls > GetTokenInformation: error 122 > (1002)~ # cygdrop ls > GetTokenInformation: error 122 > (1003)~ # cygdrop > Usage: cygdrop [OPTIONS] COMMAND [ARG ...] > > Group options > -l Disable local administrator group [default] > [...] Just removing the admin group membership won't do in your scenario. The SE_BACKUP_NAME and SE_RESTORE_NAME privileges will still be in the restricted token, so the process will still have permissions to do (almost) everything with files. What you probably want is cygdrop -l -p SeBackupPrivilege -p SeRestorePrivilege <command> > Any ideas how to not get an "error 122"? Fixing cygdrop. $ net helpmsg 122 The data area passed to a system call is too small. A quick look into the sources shows that the maximum buffer size for the group list returned by GetTokenInformation is wrongly computed: max_groups = 100; char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)]; The SID_AND_ATTRIBUTES structure only contains a pointer to the SID, so what's missing is actual space for the SIDs. But it would be better to leave that to the OS anyway: --- origsrc/cygutils-1.4.10/src/cygdrop/cygdrop.cc 2011-04-29 05:40:49.000000000 +0200 +++ src/cygutils-1.4.10/src/cygdrop/cygdrop.cc 2012-04-27 10:14:00.444641764 +0200 @@ -317,9 +317,13 @@ main (int argc, char **argv) return winerror("OpenProcessToken"); // Get groups. - char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)]; - TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf; DWORD size = 0; + if (!GetTokenInformation (proc_token, TokenGroups, NULL, 0, &size) + && GetLastError () != ERROR_INSUFFICIENT_BUFFER) + return winerror ("GetTokenInformation"); + + char groups_buf[size]; + TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf; if (!GetTokenInformation (proc_token, TokenGroups, groups, sizeof(groups_buf), &size)) return winerror ("GetTokenInformation"); Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges? 2012-04-27 8:20 ` Corinna Vinschen @ 2012-04-27 14:43 ` Charles Wilson 2013-05-29 12:35 ` Achim Gratz 2012-04-30 16:40 ` Christian Franke 1 sibling, 1 reply; 9+ messages in thread From: Charles Wilson @ 2012-04-27 14:43 UTC (permalink / raw) To: cygwin On 4/27/2012 4:20 AM, Corinna Vinschen wrote: > Fixing cygdrop. Thanks for the patch; I'm pretty busy this weekend but I'll try to roll out a new cygutils release Monday or so. If anybody wants to investigate the following over the weekend: TODO (call for patches): ================================ * Update (some?) utilities to handle unicode filenames, similar to IWAMURO Motonori's work on cygstart. Which utilities need this? mkshortcut and readshortcut probably. Any others? * unicode support in putclip/getclip (aside from the suggestion to just replace them with shell scripts that use >/dev/clipboard and </dev/clipboard, which wouldn't be callable outside a cygwin shell) I'd be grateful... -- Chuck -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges? 2012-04-27 14:43 ` Charles Wilson @ 2013-05-29 12:35 ` Achim Gratz 2013-05-31 2:51 ` Charles Wilson 0 siblings, 1 reply; 9+ messages in thread From: Achim Gratz @ 2013-05-29 12:35 UTC (permalink / raw) To: cygwin Charles Wilson <cygwin <at> cwilson.fastmail.fm> writes: > On 4/27/2012 4:20 AM, Corinna Vinschen wrote: > > Fixing cygdrop. > > Thanks for the patch; I'm pretty busy this weekend but I'll try to roll > out a new cygutils release Monday or so. Sorry for this blast from the past, but cygutils have been updated a few times and I still get the same error... has the patch not been applied or is there something else that needs fixing? Regards, Achim. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges? 2013-05-29 12:35 ` Achim Gratz @ 2013-05-31 2:51 ` Charles Wilson 0 siblings, 0 replies; 9+ messages in thread From: Charles Wilson @ 2013-05-31 2:51 UTC (permalink / raw) To: cygwin On 5/29/2013 8:18 AM, Achim Gratz wrote: > Sorry for this blast from the past, but cygutils have been updated a few > times and I still get the same error... has the patch not been applied or is > there something else that needs fixing? No, thanks for the reminder. I completely dropped the ball on this one. The patch is now in CVS so it will be in the next release, which should be soon. -- Chuck -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: how to drop administrator privileges? 2012-04-27 8:20 ` Corinna Vinschen 2012-04-27 14:43 ` Charles Wilson @ 2012-04-30 16:40 ` Christian Franke 1 sibling, 0 replies; 9+ messages in thread From: Christian Franke @ 2012-04-30 16:40 UTC (permalink / raw) To: cygwin Corinna Vinschen wrote: > Fixing cygdrop. > > $ net helpmsg 122 > The data area passed to a system call is too small. > > A quick look into the sources shows that the maximum buffer size for > the group list returned by GetTokenInformation is wrongly computed: > > max_groups = 100; > char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)]; > > The SID_AND_ATTRIBUTES structure only contains a pointer to the SID, so > what's missing is actual space for the SIDs. Oops. > But it would be better to leave that to the OS anyway: Thanks for the patch. Works as expected. Christian -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-05-31 1:58 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2012-04-26 20:34 how to drop administrator privileges? Achim Gratz 2012-04-26 21:33 ` Charles Wilson 2012-04-27 5:50 ` Achim Gratz 2012-04-27 7:35 ` Achim Gratz 2012-04-27 8:20 ` Corinna Vinschen 2012-04-27 14:43 ` Charles Wilson 2013-05-29 12:35 ` Achim Gratz 2013-05-31 2:51 ` Charles Wilson 2012-04-30 16:40 ` Christian Franke
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).