This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Running as root


On Wed, 21 Jun 2006, Stephen Grant Brown wrote:

> Hi All
> ----- Original Message -----
> From: "Igor Peshansky" <pechtcha@XX.XXX.XXX>
> To: "Stephen Grant Brown" <s_g_brown@XXXX.XXX.XX>
> Cc: <cygwin@XXXXXX.XXX>

<http://cygwin.com/acronyms/#PCYMTNQREAIYR> (yes, even your own).  Let's
not feed the spammers any more than we have to.

> Sent: Sunday, June 18, 2006 3:56 AM
> Subject: Re: Running as root
>
> > On Sat, 17 Jun 2006, Stephen Grant Brown wrote:
> > > Hi There
> > >
> > > I would like to run programs as root, which means the userid and
> > > group need to be set to 0, and the name needs to = root.
> > >
> > > I have looked through the ntsec.html document and I afraid it is too
> > > complicated for me to understand.
> > >
> > > Can somebody explain how to do this to me in a more simplified
> > > format please?
> >
> > That depends on what you want to do.  If you are sure your login
> > account

> I want to run backup and restore programs, and also a program which will
> tell me which files have changed to make a program stop working.

Let's start with the concrete programs you have in mind.  How do you even
know they'll run under Cygwin?  If they are not Cygwin programs, setting
up a root account in Cygwin would be useless.  What makes you think they
require being root to run them?

> > has enough privileges, and you simply have a program that non-portably

> How do I determine if my login account has enoungh priverledges?

Umm, trying to run the actual programs and succeeding should be a good
enough indicator.

> I know my default login account of stephen does not have a uid and gid
> of 0.  I cannot login to administrator.

Having a UID of 0 is not going to get you more privileges (just like
calling yourself John Howard won't make you the prime minister).  As the
NTSEC page explains, the UID is a Cygwin thing, whereas the privileges are
determined by Windows.  That's why I suggested first trying to run the
programs.

> > checks whether you're running as root (and you don't have the ability
> > to properly fix the program), you can read the following section of
> > the above document:
> > <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-sids>.  It
>
> The third line of the above reference reads
>
> Both files may now contain SIDs of users and groups. They are saved in
> the last field of pw_gecos in /etc/passwd and in the gr_passwd field in
> /etc/group.
>
> What is a SID?
> What is pw_gecos?
>
> Typing "man -a passwd" does not tell the fields in the /etc/passwd

Before you go to the trouble of learning about the /etc/passwd file, find
out if all this is even needed for you to run the programs you want.

If it turns out that the programs you want are broken and check
specifically for a UID of 0 before they can run, you can go on with the
root account setup, as described below.

The first part of the NTSEC page talks about what SID is, so I'm not going
to bother reproducing that here.  Just read
<http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-common>.

As for finding out what pw_gecos (and the structure of /etc/passwd) is,
did you try Google?  Searching for "man /etc/passwd" turns up lots of
useful links.

> > also helps to know that it's ok to have multiple entries in the passwd
> > file for the same user -- forward lookups by SID find the first entry
> > with that SID, and reverse lookups by user will find any entry with
> > that username/userid.  So you can simply add an entry for
> > "root::0:513:YOURSID:...", and make sure it precedes the actual entry
> > for
>
> What is the rest of this "root::0:513:..." line?

As mentioned on the NTSEC page, the rest of the "root::0:513:..." line is
identical to the line that corresponds to your userid.  Simply copy the
line that starts with your userid (to some line above it), change your
userid to "root" in that new line, then change the UID field (after the
second ':') to 0, and voila!  You can leave in the "unused_by_nt/2000/xp"
in the password field as-is, or delete it -- doesn't matter, since it
really is unused.

> > your account, and any program checking your effective userid (e.g.,
> > "id") will show you as "root" with UID of 0.
> >
> > If you really do need to do root'y stuff, e.g., switch user contexts,
> > etc, then read
> > <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-switch> and Google
> > for "SYSTEM-owned bash shell" to see how to start processes as SYSTEM
> > (sshd doesn't let you switch to SYSTEM, unfortunately, unless you use
> > public key authentication, as you normally don't know and have no
> > control over the password for SYSTEM).
>
> Thanks for your understanding. I am still finding a lot of this advice
> too complicated for my simple brain.

If you want to do something more complex than fooling a broken program
into thinking that you're root, you might need to learn more about how
Windows privileges work.  Google, as always, is your friend, and
discussion like this is probably off-topic for this list.

HTH,
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha@cs.nyu.edu | igor@watson.ibm.com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
"But no -- you are no fool; you call yourself a fool, there's proof enough in
that!" -- Rostand, "Cyrano de Bergerac"

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]