Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Mon, 9 Jul 2001 07:53:04 +0200
From: Corinna Vinschen <cygwin AT cygwin DOT com>
To: cygwin <cygwin AT cygwin DOT com>
Subject: Re: I can't find command su.exe
Message-ID: <20010709075304.F8578@cygbert.vinschen.de>
Mail-Followup-To: cygwin <cygwin AT cygwin DOT com>
References: <000201c1065d$c01ce990$6464648a AT ca DOT boeing DOT com> <0DAEDF148988D411BB980008C7E65D2E03A14C18 AT esealnt416> <000201c1065d$c01ce990$6464648a AT ca DOT boeing DOT com> <20010708194325 DOT D8578 AT cygbert DOT vinschen DOT de> <5 DOT 1 DOT 0 DOT 14 DOT 0 DOT 20010708171355 DOT 02c86118 AT pop-server DOT cfl DOT rr DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <5.1.0.14.0.20010708171355.02c86118@pop-server.cfl.rr.com>; from psusi@cfl.rr.com on Sun, Jul 08, 2001 at 05:17:19PM -0400

On Sun, Jul 08, 2001 at 05:17:19PM -0400, Phillip Susi wrote:
> How is it worked out?
> 
> If you just use LogonUser(), not only do you have to have the users 
> password, but you also have to have the TCB privilege, which is 
> silly.  Unless you have a service that runs as system and accepts logon 
> requests from clients, and gives them back the token?

You're right, we would need a server process to have a real `su'
solution. We already discussed such a server process to support
various features (su, suid-bit, ipc, ...) on the cygwin-developers
list but that will need time. The need for the TCB privilege is a
problem, actually. Fortunately Microsoft dropped the need to have
the TCB privilege when calling LogonUser in XP but that doesn't
really help as long as NT and W2K are still in use.

> I was actually thinking of writing a replacement authentication dll that 
> would punt to the standard one unless a special username syntax was 
> entered, something like administrator!luser, and if the administrator 
> password was correct, it would log on as luser.  This would be nice because 
> if you installed it on a domain controller, it would handle logon requests 
> from all clients in the domain, for local and remote access, not just local.

But authentication DLL's are actually running in TCB context as well.
So the process connecting the authDLL would still need that privilege,
right?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/