From b873ce06860d4ec631c9135dabdea2b6b4446d6e Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Thu, 15 Apr 2010 17:17:59 +0000 Subject: [PATCH] * sec_helper.cc (set_cygwin_privileges): Enable SE_DEBUG_PRIVILEGE, if available. Add comments. --- winsup/cygwin/ChangeLog | 5 +++++ winsup/cygwin/sec_helper.cc | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 305660f6e..14fb8d4d1 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,8 @@ +2010-04-15 Corinna Vinschen + + * sec_helper.cc (set_cygwin_privileges): Enable SE_DEBUG_PRIVILEGE, if + available. Add comments. + 2010-04-13 Corinna Vinschen * fhandler_socket.cc (get_inet_addr): Only test the file for being a diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index dc7b89fba..cab2feddb 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -425,8 +425,18 @@ out: void set_cygwin_privileges (HANDLE token) { + /* Setting these rights at process startup allows processes running under + user tokens which are in the administrstors group to have root-like + permissions. */ + /* Allow to access all files, independent of their ACL settings. */ set_privilege (token, SE_RESTORE_PRIVILEGE, true); set_privilege (token, SE_BACKUP_PRIVILEGE, true); + /* Allow full access to other user's processes. */ + set_privilege (token, SE_DEBUG_PRIVILEGE, true); + /* Allow to create global shared memory. This shouldn't be required since + Cygwin 1.7. It uses its own subdirectories in the global NT namespace + which isn't affected by the SE_CREATE_GLOBAL_PRIVILEGE restriction. + Anyway, better safe than sorry. */ if (wincap.has_create_global_privilege ()) set_privilege (token, SE_CREATE_GLOBAL_PRIVILEGE, true); }