* sec_helper.cc (set_cygwin_privileges): Enable SE_DEBUG_PRIVILEGE, if

available. Add comments.
2010-04-15 17:17:59 +00:00 · 2010-04-15 17:17:59 +00:00 · b873ce0686
parent f77f01db65
commit b873ce0686
2 changed files with 15 additions and 0 deletions
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@ -1,3 +1,8 @@
+2010-04-15  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_helper.cc (set_cygwin_privileges): Enable SE_DEBUG_PRIVILEGE, if
+	available.  Add comments.
+
 2010-04-13  Corinna Vinschen  <corinna@vinschen.de>

 	* fhandler_socket.cc (get_inet_addr): Only test the file for being a
--- a/winsup/cygwin/sec_helper.cc
+++ b/winsup/cygwin/sec_helper.cc
@ -425,8 +425,18 @@ out:
 void
 set_cygwin_privileges (HANDLE token)
 {
+  /* Setting these rights at process startup allows processes running under
+     user tokens which are in the administrstors group to have root-like
+     permissions. */
+  /* Allow to access all files, independent of their ACL settings. */
  set_privilege (token, SE_RESTORE_PRIVILEGE, true);
  set_privilege (token, SE_BACKUP_PRIVILEGE, true);
+  /* Allow full access to other user's processes. */
+  set_privilege (token, SE_DEBUG_PRIVILEGE, true);
+  /* Allow to create global shared memory.  This shouldn't be required since
+     Cygwin 1.7.  It uses its own subdirectories in the global NT namespace
+     which isn't affected by the SE_CREATE_GLOBAL_PRIVILEGE restriction.
+     Anyway, better safe than sorry. */
  if (wincap.has_create_global_privilege ())
    set_privilege (token, SE_CREATE_GLOBAL_PRIVILEGE, true);
 }