delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin-developers/2001/05/07/12:57:42

Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com
Message-ID: <E94FF01DFF6CD31186F4080009DC36150202859D@nttwr2.tower.bldgs.butlermfg.org>
From: "Parker, Ron" <rdparker AT butlermfg DOT com>
To: cygdev <cygwin-developers AT cygwin DOT com>
Subject: RE: New subdirectory in winsup
Date: Mon, 7 May 2001 11:56:02 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)

> Then be sure to have an account with the SE_TCB_NAME "Act as part
> of the operating system" privilege active since it's needed to
> be able to contact the LSA subsystem which manages the user
> authentication in NT/W2K. That right is by default only given to
> LocalSystem. That's of course no advice to always create such an
> account but it's only for testing purposes!

Am I understanding properly that this privilege must be added to the user's
log in account?  If so, it seems to me that this would possibly introduce
some further security issues.

A few years ago I created an "su" program that I use for various purposes on
Windows NT/2000.  It has a service that is run under an account that has
that privilege and a few others.  The service is an OLE server and can be
called from any application with a user's name and password as well as the
name of a program to be executed.  The service then impersonates the
requested user and executes the application.  This avoids giving the user's
account a privilege that IMO is dangerous.

I would recommend incorporating such functionality into a daemon like what I
understand Egor was working on.

I have one question.  Has anyone figured out a way in Windows to allow root
to "su username" without knowing the users password?

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019