X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Fri, 27 Apr 2012 10:20:14 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: how to drop administrator privileges?
Message-ID: <20120427082014.GL25385@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <878vhiz0zw DOT fsf AT Rainer DOT invalid> <4F99BF0F DOT 9050807 AT cwilson DOT fastmail DOT fm> <8762cl67ym DOT fsf AT Rainer DOT invalid> <loom DOT 20120427T093249-85 AT post DOT gmane DOT org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <loom.20120427T093249-85@post.gmane.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Apr 27 07:33, Achim Gratz wrote:
> > Charles Wilson writes:
> > > The "cygdrop.exe" utility is part of the cygutils package.
> 
> (1001)~ # cygdrop -v ls
> GetTokenInformation: error 122
> (1002)~ # cygdrop ls
> GetTokenInformation: error 122
> (1003)~ # cygdrop
> Usage: cygdrop [OPTIONS] COMMAND [ARG ...]
> 
> Group options
>   -l        Disable local administrator group [default]
> [...]

Just removing the admin group membership won't do in your scenario.  The
SE_BACKUP_NAME and SE_RESTORE_NAME privileges will still be in the
restricted token, so the process will still have permissions to do
(almost) everything with files.  What you probably want is

  cygdrop -l -p SeBackupPrivilege -p SeRestorePrivilege <command>

> Any ideas how to not get an "error 122"?

Fixing cygdrop.

  $ net helpmsg 122
  The data area passed to a system call is too small.

A quick look into the sources shows that the maximum buffer size for
the group list returned by GetTokenInformation is wrongly computed:

  max_groups = 100;
  char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)];

The SID_AND_ATTRIBUTES structure only contains a pointer to the SID, so
what's missing is actual space for the SIDs.

But it would be better to leave that to the OS anyway:

--- origsrc/cygutils-1.4.10/src/cygdrop/cygdrop.cc	2011-04-29 05:40:49.000000000 +0200
+++ src/cygutils-1.4.10/src/cygdrop/cygdrop.cc	2012-04-27 10:14:00.444641764 +0200
@@ -317,9 +317,13 @@ main (int argc, char **argv)
     return winerror("OpenProcessToken");
 
   // Get groups.
-  char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)];
-  TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf;
   DWORD size = 0;
+  if (!GetTokenInformation (proc_token, TokenGroups, NULL, 0, &size)
+      && GetLastError () != ERROR_INSUFFICIENT_BUFFER)
+    return winerror ("GetTokenInformation");
+
+  char groups_buf[size];
+  TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf;
   if (!GetTokenInformation (proc_token, TokenGroups, groups, sizeof(groups_buf), &size))
     return winerror ("GetTokenInformation");
 

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple