delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2008/11/13/18:49:02

X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Herb Maeder <maeder-cygml AT maeder DOT org>
In-reply-to: Corinna Vinschen <corinna-cygwin@cygwin.com> 's message of Thu, 13 Nov 2008 14:57:20 +0100.
Subject: Re: sshd on vista error "initgroups: Permission denied" (cygwin-1.7)
Date: Thu, 13 Nov 2008 15:48:03 -0800
Message-ID: <8140.1226620083@maeder.org>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 13 Nov 2008 14:57:20 +0100, Corinna Vinschen wrote:
> On Nov 13 11:35, Corinna Vinschen wrote:
> > On Nov 12 16:57, Herb Maeder wrote:
> > > Bum deal.  But thanks for the explanation.  That clarifies what I was
> > > seeing.
> > 
> > Actually there is a way to elevate a console application which is the
> > manifest file.  Unfortunately this only works for executables, not for
> > scripts.
> > 
> > I didn't try it myself, but maybe something like this works:
> > 
> >   $ cd /bin
> >   $ cp bash.exe bash-elevated.exe
> >   $ sed 's/nstall\.exe/bash-elevated.exe/g' < install.exe > bash-elevated.e
xe.manifest
> >   $ sed '1s/bash/bash-elevated/' < ssh-host-config > ssh-host-config-elevat
ed
> >   $ ssh-host-config-elevated
> > 
> > Sometimes adding a manifest file to an executable doesn't work immediately
> > due to some cashing in Windows but basically this should work.
> 
> On second thought, this can't work.  The manifest file starts the
> application with an execution level of "asInvoker" which means *not*
> elevated.  Even if you change this to elevated (I don't know the right
> level string for this off hand), the problem that you won't get an
> elevation prompt when a process gets started through CreateProcess
> remains the same.  Too bad.  The mainfests work in one direction, but
> they don't in the other.  Baeh.

Yeah, I think that corresponds to what I found... there's no way to
elevate a command without somehow firing off another application like a
separate cmd window.

Along similar lines, I tried to "cp /bin/bash.exe /bin/bash-elev.exe",
then set bash-elev to run as adminstrator, with Right Click -> Properties ->
Compatibility then check the "Run this program as an administrator" box.
There was no love when invoking bash-elev.exe directly from a bash command
line, but invoking it via a cmd shell did the trick.

The best I was able to do was to create an "elev.sh" script like this:

    #!/bin/bash
    eval 'cmd /c bash-elev -c '\'${1+"$@"}\'''

I know that the quoting is not quite right to deal with all possible
arguments correctly, but it should be good enough to fire off some generic
elevated commands.

For example:

    elev.sh /bin/ssh-host-config -y

or even something like this will work:

    elev.sh "/bin/bash somescript.sh \"a b\" c > out; sleep 4"

If elev.sh is called from an already elevated bash shell (run with "Run as
administrator"), then there will be no UAC prompt and the output will
appear normally in the shell.  But if the invoking shell is not elevated,
then it will display the UAC prompt, and fire off a separate cmd shell
window.  The bummer is that for normal commands, any output will be
displayed in the new cmd window, which will exit immediately (i.e. user
won't see the output).  Though it is possible to redirect the output to
a file.

Still, even with these drawbacks, something like this might be useful for
us in ssh-host-config.  If the invoking shell is already elevated, things
will pretty much work the way they do now.  But if it is invoked from a
normal shell, the user would get prompted to elevate, and then the
ssh-host-config queries and input would happen in a different cmd window.
Not great, but still better than just exiting with an error (or, worse, 
trying to continue with insufficient privileges).

Herb.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019