This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: how to drop administrator privileges?


On Apr 27 07:33, Achim Gratz wrote:
> > Charles Wilson writes:
> > > The "cygdrop.exe" utility is part of the cygutils package.
> 
> (1001)~ # cygdrop -v ls
> GetTokenInformation: error 122
> (1002)~ # cygdrop ls
> GetTokenInformation: error 122
> (1003)~ # cygdrop
> Usage: cygdrop [OPTIONS] COMMAND [ARG ...]
> 
> Group options
>   -l        Disable local administrator group [default]
> [...]

Just removing the admin group membership won't do in your scenario.  The
SE_BACKUP_NAME and SE_RESTORE_NAME privileges will still be in the
restricted token, so the process will still have permissions to do
(almost) everything with files.  What you probably want is

  cygdrop -l -p SeBackupPrivilege -p SeRestorePrivilege <command>

> Any ideas how to not get an "error 122"?

Fixing cygdrop.

  $ net helpmsg 122
  The data area passed to a system call is too small.

A quick look into the sources shows that the maximum buffer size for
the group list returned by GetTokenInformation is wrongly computed:

  max_groups = 100;
  char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)];

The SID_AND_ATTRIBUTES structure only contains a pointer to the SID, so
what's missing is actual space for the SIDs.

But it would be better to leave that to the OS anyway:

--- origsrc/cygutils-1.4.10/src/cygdrop/cygdrop.cc	2011-04-29 05:40:49.000000000 +0200
+++ src/cygutils-1.4.10/src/cygdrop/cygdrop.cc	2012-04-27 10:14:00.444641764 +0200
@@ -317,9 +317,13 @@ main (int argc, char **argv)
     return winerror("OpenProcessToken");
 
   // Get groups.
-  char groups_buf[sizeof(DWORD) + max_groups * sizeof(SID_AND_ATTRIBUTES)];
-  TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf;
   DWORD size = 0;
+  if (!GetTokenInformation (proc_token, TokenGroups, NULL, 0, &size)
+      && GetLastError () != ERROR_INSUFFICIENT_BUFFER)
+    return winerror ("GetTokenInformation");
+
+  char groups_buf[size];
+  TOKEN_GROUPS * groups = (TOKEN_GROUPS *)groups_buf;
   if (!GetTokenInformation (proc_token, TokenGroups, groups, sizeof(groups_buf), &size))
     return winerror ("GetTokenInformation");
 

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]