Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 16 Oct 2003 17:50:59 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: setreuid
Message-ID: <20031016155059.GD25076@cygbert.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20031015105210 DOT GF18774 AT ata DOT cs DOT hacettepe DOT edu DOT tr> <20031016103723 DOT GA5542 AT ata DOT cs DOT hacettepe DOT edu DOT tr> <20031016125317 DOT GB5542 AT ata DOT cs DOT hacettepe DOT edu DOT tr> <20031016142337 DOT GC5542 AT ata DOT cs DOT hacettepe DOT edu DOT tr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20031016142337.GC5542@ata.cs.hacettepe.edu.tr>
User-Agent: Mutt/1.4.1i

On Thu, Oct 16, 2003 at 05:23:39PM +0300, Baurjan Ismagulov wrote:
> On Thu, Oct 16, 2003 at 13:19:29, Corinna Vinschen wrote:
> > No, that's not right.  The German term for "increase quotas" is
> > "Anpassen von Speicherkontingenten fuer einen Prozess" (at least on
> > 2003 Server).  "Erstellen eines Tokenobjekts" is German for "Create
> > a token object".
> 
> Hmmm, the document you pointed to mentions "act as part of the operating
> system", "replace process level token" and "increase quotas". Now I have
> the following privileges granted:
> 
> Einsetzen als Teil des Betriebssystems                 ZAISAN\ibr
> Ersetzen eines Tokens auf Prozessebene                 ZAISAN\ibr
> Anpassen von Speicherkontingenten f?r einen Prozess    Administratoren
> Erstellen eines Tokenobjekts                           -
> 
> ibr is a member of Administratoren.
> 
> Logout, login, tftpd. The result is: setreuid(1012, 1012) = -1 EPERM.
> This works if I grant "Erstellen eines Tokenobjekts" to ZAISAN\ibr. What
> is going on?

That's correct.  Did you read http://cygwin.com/cygwin-ug-net/ntsec.html?

Btw., if you're planning to use that account as logon account, don't
give these rights to that account.  That's very dangerous.  Start a
service under system account as inetd and let it handle the user context
switch.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/