About "messed up user permissions from w2k terminal session"

Igor Pechtchanski pechtcha@cs.nyu.edu
Wed Oct 8 12:52:00 GMT 2003 

On Wed, 8 Oct 2003, Corinna Vinschen wrote:

> On Tue, Oct 07, 2003 at 02:17:35PM -0400, Pierre A. Humblet wrote:
> > Case solved, and we have a problem.
> > This is what James Below tells me:
> >
> > >>- Are you running on Windows 2000 or 2003?
> > > windows 2000 sp4
> >
> > > I get the same error with 1.5.3
> > So it's a Cygwin 1.5 issue with using the global name space,
> > not related to my recent changes.
> >
> > >here are the output files.
> > showing the privileges, and only the admin user who can start Cygwin has:
> >
> > SeCreateGlobalPrivilege SE_PRIVILEGE_ENABLED, SE_PRIVILEGE_ENABLED_BY_DEFAULT,
> >
> > So MS is not telling the full truth, windows 2000 sp4 is using the privilege.
> >
> > So we have a few choices:
> > 1) Roll back to using the local name space, which makes interprocess comm
> >    very difficult, or
> > 2) Require the privilege to run Cygwin from Terminal Services,
> >    or
> > 3) Use the global name space only if the user has the privilege or
> >    we are not not running from TS.
>
> There's actually a problem here.  Another look into XP showed me that the
> flag doesn't exist.  OTOH, XP uses TS to implement fast user switching.
>
> FWIW, I think solution 1 is not something we should honestly discuss.
>
> The simple solution 2 means, nothing to do for us, except to create
> another FAQ entry.  Good short term solution, for sure.  But nevertheless
> we should also put the pinfo shared mem into the Global\ namespace.
>
> How do we implement 3?  A function for checking and setting privileges
> exists.  We would have to tweak it slightly to allow to recognize the
> case that a user right just doesn't exist on the system.
>
> How do we test if the session is a TS session?  Does NT provide this
> information somewhere? *dig, dig, dig*  Cool, yes, the function
> GetSystemMetrics(SM_REMOTESESSION) returns TRUE if running in a remote
> session.  It does not return TRUE if running under a service, I just
> tested it.  So 3 should be doable.
>
> Corinna

Corinna,

Does putting the value into a global namespace fail in some meaningful way
when the user doesn't have the privilege?  If so, we could first try to
set the global value, and if that didn't work, fall back to local...  My
main worry is that TS is just one case that we've discovered that has this
problem -- there may be others.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

More information about the Cygwin-developers mailing list