Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT sources DOT redhat DOT com Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com Message-ID: From: "Parker, Ron" To: cygdev Subject: RE: New subdirectory in winsup Date: Mon, 7 May 2001 11:56:02 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain > Then be sure to have an account with the SE_TCB_NAME "Act as part > of the operating system" privilege active since it's needed to > be able to contact the LSA subsystem which manages the user > authentication in NT/W2K. That right is by default only given to > LocalSystem. That's of course no advice to always create such an > account but it's only for testing purposes! Am I understanding properly that this privilege must be added to the user's log in account? If so, it seems to me that this would possibly introduce some further security issues. A few years ago I created an "su" program that I use for various purposes on Windows NT/2000. It has a service that is run under an account that has that privilege and a few others. The service is an OLE server and can be called from any application with a user's name and password as well as the name of a program to be executed. The service then impersonates the requested user and executes the application. This avoids giving the user's account a privilege that IMO is dangerous. I would recommend incorporating such functionality into a daemon like what I understand Egor was working on. I have one question. Has anyone figured out a way in Windows to allow root to "su username" without knowing the users password?