Re: how to drop administrator privileges?
On 5/29/2013 8:18 AM, Achim Gratz wrote: Sorry for this blast from the past, but cygutils have been updated a few times and I still get the same error... has the patch not been applied or is there something else that needs fixing? No, thanks for the reminder. I completely dropped the ball on this one. The patch is now in CVS so it will be in the next release, which should be soon. -- Chuck -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: how to drop administrator privileges?
Charles Wilson cygwin at cwilson.fastmail.fm writes: On 4/27/2012 4:20 AM, Corinna Vinschen wrote: Fixing cygdrop. Thanks for the patch; I'm pretty busy this weekend but I'll try to roll out a new cygutils release Monday or so. Sorry for this blast from the past, but cygutils have been updated a few times and I still get the same error... has the patch not been applied or is there something else that needs fixing? Regards, Achim. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: how to drop administrator privileges?
Corinna Vinschen wrote: Fixing cygdrop. $ net helpmsg 122 The data area passed to a system call is too small. A quick look into the sources shows that the maximum buffer size for the group list returned by GetTokenInformation is wrongly computed: max_groups = 100; char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)]; The SID_AND_ATTRIBUTES structure only contains a pointer to the SID, so what's missing is actual space for the SIDs. Oops. But it would be better to leave that to the OS anyway: Thanks for the patch. Works as expected. Christian -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: how to drop administrator privileges?
Charles Wilson writes: The cygdrop.exe utility is part of the cygutils package. (1001)~ # cygdrop -v ls GetTokenInformation: error 122 (1002)~ # cygdrop ls GetTokenInformation: error 122 (1003)~ # cygdrop Usage: cygdrop [OPTIONS] COMMAND [ARG ...] Group options -lDisable local administrator group [default] [...] Any ideas how to not get an error 122? Regards, Achim. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: how to drop administrator privileges?
On Apr 27 07:33, Achim Gratz wrote: Charles Wilson writes: The cygdrop.exe utility is part of the cygutils package. (1001)~ # cygdrop -v ls GetTokenInformation: error 122 (1002)~ # cygdrop ls GetTokenInformation: error 122 (1003)~ # cygdrop Usage: cygdrop [OPTIONS] COMMAND [ARG ...] Group options -lDisable local administrator group [default] [...] Just removing the admin group membership won't do in your scenario. The SE_BACKUP_NAME and SE_RESTORE_NAME privileges will still be in the restricted token, so the process will still have permissions to do (almost) everything with files. What you probably want is cygdrop -l -p SeBackupPrivilege -p SeRestorePrivilege command Any ideas how to not get an error 122? Fixing cygdrop. $ net helpmsg 122 The data area passed to a system call is too small. A quick look into the sources shows that the maximum buffer size for the group list returned by GetTokenInformation is wrongly computed: max_groups = 100; char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)]; The SID_AND_ATTRIBUTES structure only contains a pointer to the SID, so what's missing is actual space for the SIDs. But it would be better to leave that to the OS anyway: --- origsrc/cygutils-1.4.10/src/cygdrop/cygdrop.cc 2011-04-29 05:40:49.0 +0200 +++ src/cygutils-1.4.10/src/cygdrop/cygdrop.cc 2012-04-27 10:14:00.444641764 +0200 @@ -317,9 +317,13 @@ main (int argc, char **argv) return winerror(OpenProcessToken); // Get groups. - char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)]; - TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf; DWORD size = 0; + if (!GetTokenInformation (proc_token, TokenGroups, NULL, 0, size) + GetLastError () != ERROR_INSUFFICIENT_BUFFER) +return winerror (GetTokenInformation); + + char groups_buf[size]; + TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf; if (!GetTokenInformation (proc_token, TokenGroups, groups, sizeof(groups_buf), size)) return winerror (GetTokenInformation); Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: how to drop administrator privileges?
On 4/27/2012 4:20 AM, Corinna Vinschen wrote: Fixing cygdrop. Thanks for the patch; I'm pretty busy this weekend but I'll try to roll out a new cygutils release Monday or so. If anybody wants to investigate the following over the weekend: TODO (call for patches): * Update (some?) utilities to handle unicode filenames, similar to IWAMURO Motonori's work on cygstart. Which utilities need this? mkshortcut and readshortcut probably. Any others? * unicode support in putclip/getclip (aside from the suggestion to just replace them with shell scripts that use /dev/clipboard and /dev/clipboard, which wouldn't be callable outside a cygwin shell) I'd be grateful... -- Chuck -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
how to drop administrator privileges?
I've recently had a test fail because I started it with administrator privileges (via the Administrator group). The test tried to write to a file that it set read-only before and of course as an administrator it was still able to write to it. So the test fail wasn't really that important, but I can't seem to find a way to drop administrator privileges once I have a shell opened with run as administrator. Is there a command that will shed those rights for a sub-shell? Regards, Achim. -- +[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]+ Factory and User Sound Singles for Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: how to drop administrator privileges?
On 4/26/2012 4:33 PM, Achim Gratz wrote: I've recently had a test fail because I started it with administrator privileges (via the Administrator group). The test tried to write to a file that it set read-only before and of course as an administrator it was still able to write to it. So the test fail wasn't really that important, but I can't seem to find a way to drop administrator privileges once I have a shell opened with run as administrator. Is there a command that will shed those rights for a sub-shell? The cygdrop.exe utility is part of the cygutils package. -- Chuck -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: how to drop administrator privileges?
Charles Wilson writes: The cygdrop.exe utility is part of the cygutils package. Thank you. Regards, Achim. -- +[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]+ SD adaptation for Waldorf rackAttack V1.04R1: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple