Windows 2003

Pierre A. Humblet
Fri Jul 11 14:32:00 GMT 2003

Corinna Vinschen wrote:
> On Fri, Jul 11, 2003 at 09:42:04AM -0400, Pierre A. Humblet wrote:
> > Corinna Vinschen wrote:
> > > So (still as example) what about changing this to uid 0?  Anybody
> > > who needs to run service applications with special privileges should
> > > run them under the uid 0 account.  The uid 0 account could be created
> > > by a special script started from setup or from the command line.
> > > There's nothing keeping us from creating a Windows account "root"
> > > with Admin privileges plus all these dangerous "create token",
> > > "replace token" and "act as part of the OS" privileges.  Then we
> > > could use this one for all the dirty work.
> >
> > Yep, that would work, but it forces changes to existing installations
> > (users need to update the passwd file) and all special applications
> > need to be updated at once. That's major, compared to the few 2003 sites.
> > (having 2 entries in passwd doesn't really help).
> That's not quite right.  The existing installations and tools still
> work.  The new root user would be introduced beginning with 1.5.x
> and the tools *compiled for* 1.5.x would be created with this in
> mind.  Creating the "root" account would be done by a small tool
> which would become part of the Cygwin base package.  That tool could
> even be mkpasswd.  Unfortunately there seem to be no CLI tool in
> Windows itself which allows manipulating user privileges so a script
> isn't sufficient.

My point was that switching to all the modified applications and to the 
new passwd file must occur at once. The change to passwd would be hard
to reverse, in case users decide to go back to the previous version. 
That's a new way of proceeding. With 1.5.x, new applications can be 
introduced one by one.

> > The solution I proposed in the other e-mail allows a gradual migration,
> > application by application. Once it is is place and all special applications
> > use it, we can then change mkpasswd to have the root/uid=0 entry (which
> > is an excellent idea).
> Actually I don't see a big difference since your solution also
> requires to change the tools to take advantage of the new call.

The solution I propose was meant to address Windows 2003. No change 
in /etc/passwd and no tool changes are required for that.
As a benefit, the solution allows the support of a new style of 
passwd file. The switchover can be made (or not made) on a site by site 
basis, once the relevant applications have been upgraded.

You are right that at the level of the work for us, the two approaches
are about the same. But they will feel different to the end users.


More information about the Cygwin-developers mailing list