Request for help debugging screen problem

Corinna Vinschen corinna-cygwin@cygwin.com
Sat Feb 6 10:59:00 GMT 2010


On Feb  5 16:48, Shaddy Baddah wrote:
> On 5/02/2010 4:38 PM, Corinna Vinschen wrote:
> >On Feb  5 16:23, Shaddy Baddah wrote:
> >>To open a handle to another local process and obtain full access
> >>rights, you must enable the SeDebugPrivilege privilege. For more
> >>information, see Changing Privileges in a Token.
> >
> >I'm not sure.
> >
> >>Would this be in the user token? How can I list which privileges are
> >>contained in the token for the mintty session and the ssh session?
> >
> >http://cygwin.de/gettokinfo/gettokinfo.cc
> 
> Thanks for that. I compiled it (using gcc-3. Doesn't compile with
> gcc-4) and ran it. If anything, the ssh session has one more item in
> DefaultDacl and SecurityDescriptor. But I haven't grasped the
> concepts yet. And it's getting v. late here in +1100 zone, so I'll
> have to have a look at the next opportunity.

The DefaultDacl and SecurityDescriptor shouldn't make a difference.
Btw., if you give an arbitrary argumented to gettokinfo, as in

  $ gettokinfo 1

you also get the full list of user privileges.

However, tonight (no, this is *not* funny anymore) it occured to me what
the problem is.

It's not the debug privilege.

It's Session Isolation.

Up to Windows 2003, the desktop and the services are running in the same
session 0.  Starting with Windows Vista, only the service processes are
still running in session 0, while all other sessions including the local
desktop are running in other sessions.  Non-admin users and restricted
(not-elevated) admin users have no right to penetrate the session
barrier.  That's the reason the OpenProcess fails with
ERROR_ACCESS_DENIED.

However, this shouldn't be the case for cygrunsrv if it's running in
session 0 under the SYSTEM account.  The system user should have
permission to break the session barrier.  What problem occurs in
cygrunsrv exactly when it's running?

I'd still prefer to get this all working without cygrunsrv, but the
current method using OpenProcess is impossible in that scenario.  We
have to find some other method.  In the menatime it would help to learn
why the method using cygrunsrv fails.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat



More information about the Cygwin-developers mailing list