New subdirectory in winsup

Parker, Ron
Mon May 7 09:56:00 GMT 2001

> Then be sure to have an account with the SE_TCB_NAME "Act as part
> of the operating system" privilege active since it's needed to
> be able to contact the LSA subsystem which manages the user
> authentication in NT/W2K. That right is by default only given to
> LocalSystem. That's of course no advice to always create such an
> account but it's only for testing purposes!

Am I understanding properly that this privilege must be added to the user's
log in account?  If so, it seems to me that this would possibly introduce
some further security issues.

A few years ago I created an "su" program that I use for various purposes on
Windows NT/2000.  It has a service that is run under an account that has
that privilege and a few others.  The service is an OLE server and can be
called from any application with a user's name and password as well as the
name of a program to be executed.  The service then impersonates the
requested user and executes the application.  This avoids giving the user's
account a privilege that IMO is dangerous.

I would recommend incorporating such functionality into a daemon like what I
understand Egor was working on.

I have one question.  Has anyone figured out a way in Windows to allow root
to "su username" without knowing the users password?

More information about the Cygwin-developers mailing list