X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: "Joe Smith" <unknown_kev_cat AT hotmail DOT com>
Subject:  Re: 'su' no longer working?
Date:  Fri, 6 Jan 2006 00:07:37 -0500
Lines: 49
Message-ID: <dpktus$nom$1@sea.gmane.org>
References:  <Pine DOT GSO DOT 4 DOT 63 DOT 0601051732360 DOT 5388 AT slinky DOT cs DOT nyu DOT edu> <43BDF429 DOT 5050206 AT byu DOT net>
Mime-Version:  1.0
Content-Type:  text/plain; 	format=flowed; 	charset="iso-8859-1"; 	reply-type=original
Content-Transfer-Encoding:  7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com


"Eric Blake" <ebb9 AT byu DOT net> wrote in message 
news:43BDF429 DOT 5050206 AT byu DOT net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> According to Igor Peshansky on 1/5/2006 3:37 PM:
>> Hi,
>>
>> 'su' used to be an executable that worked correctly from a SYSTEM-owned
>> shell, but now it's a shell script that simply prints a "not supported"
>> message.  Is it possible to resurrect the old "su" executable (that
>> perhaps prints the same message if run from a non-SYSTEM account)?
>
> Coreutils certainly builds an su executable, but the cygwin distro of su
> has been a script since at least 5.2.1 when Corinna was the maintainer; I
> only enhanced the script to be a little more useful.  I'll see what I can
> do about getting the executable built and running, but no promise on a
> timeline; is there any easy run-time test as to whether the current user
> is SYSTEM and should try to perform user switching, vs. normal users to
> print a warning message that su is relatively useless under cygwin/Windows
> semantics?


Well just check that the app has appropriate priveleges.
(Only the app actually needs them, the user running the app does not 
nessisaryally need them)

For passworded user switching:
SE_ASSIGNPRIMARYTOKEN_NAME &&
SE_INCREASE_QUOTA_NAME &&
SE_TCB_NAME

For passwordless user switching:
SE_CREATE_TOKEN_NAME &&
SE_ASSIGNPRIMARYTOKEN_NAME &&
SE_INCREASE_QUOTA_NAME


This is all documented in:
http://cygwin.com/cygwin-ug-net/ntsec.html


You should not cripple to program to being usable only on the system 
account.
It is very much possible to give a user those privleges, and easy on XP pro 
via the group policy editor (according to microsoft. I've never tried it.)





--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/