Mail Archives: cygwin-developers/2001/05/07/12:57:42

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin-developers/2001/05/07/12:57:42

Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm

List-Subscribe: <mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>

List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>

List-Post: <mailto:cygwin-developers AT sources DOT redhat DOT com>

List-Help: <mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>

Sender: cygwin-developers-owner AT sources DOT redhat DOT com

Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com

Message-ID: <E94FF01DFF6CD31186F4080009DC36150202859D@nttwr2.tower.bldgs.butlermfg.org>

From: "Parker, Ron" <rdparker AT butlermfg DOT com>

To: cygdev <cygwin-developers AT cygwin DOT com>

Subject: RE: New subdirectory in winsup

Date: Mon, 7 May 2001 11:56:02 -0500

MIME-Version: 1.0

X-Mailer: Internet Mail Service (5.5.2653.19)

> Then be sure to have an account with the SE_TCB_NAME "Act as part
> of the operating system" privilege active since it's needed to
> be able to contact the LSA subsystem which manages the user
> authentication in NT/W2K. That right is by default only given to
> LocalSystem. That's of course no advice to always create such an
> account but it's only for testing purposes!

Am I understanding properly that this privilege must be added to the user's
log in account?  If so, it seems to me that this would possibly introduce
some further security issues.

A few years ago I created an "su" program that I use for various purposes on
Windows NT/2000.  It has a service that is run under an account that has
that privilege and a few others.  The service is an OLE server and can be
called from any application with a user's name and password as well as the
name of a program to be executed.  The service then impersonates the
requested user and executes the application.  This avoids giving the user's
account a privilege that IMO is dangerous.

I would recommend incorporating such functionality into a daemon like what I
understand Egor was working on.

I have one question.  Has anyone figured out a way in Windows to allow root
to "su username" without knowing the users password?

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

Mailing-List:	contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin-developers/>
List-Post:	<mailto:cygwin-developers AT sources DOT redhat DOT com>
List-Help:	<mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-developers-owner AT sources DOT redhat DOT com
Delivered-To:	mailing list cygwin-developers AT sources DOT redhat DOT com
Message-ID:	<E94FF01DFF6CD31186F4080009DC36150202859D@nttwr2.tower.bldgs.butlermfg.org>
From:	"Parker, Ron" <rdparker AT butlermfg DOT com>
To:	cygdev <cygwin-developers AT cygwin DOT com>
Subject:	RE: New subdirectory in winsup
Date:	Mon, 7 May 2001 11:56:02 -0500
MIME-Version:	1.0
X-Mailer:	Internet Mail Service (5.5.2653.19)