X-Spam-Check-By: sourceware.org
Message-ID: <44061AD0.7010005@t-online.de>
Date: Wed, 01 Mar 2006 23:06:08 +0100
From: Christian Franke <Christian DOT Franke AT t-online DOT de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: No effect of SE_BACKUP_NAME privilege on cygwin?
References: <4405F5F9 DOT 8010708 AT t-online DOT de> <20060301205536 DOT GA11552 AT calimero DOT vinschen DOT de>
In-Reply-To: <20060301205536.GA11552@calimero.vinschen.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-ID: E68GRBZHgeD3iNSlx0d0COHlH4hLgIFpNqqNShSDkyfqEA7sLK7TsO
X-TOI-MSGID: aadca835-2049-45ba-8d68-0a04b79c0bc4
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Corinna Vinschen wrote:
> On Mar  1 20:28, Christian Franke wrote:
>   
>> Enabling SE_BACKUP_NAME has no effect for cygwin programs.
>>     
>
> You're expecting that you can use Windows functions in a POSIX
> application without disturbing the way Cygwin works.  That's a bit
> dangerous.

Agree.

(I tried to add a "regtool save ..." action to allow backup of registry 
hives from scripts.
This calls RegSaveKey which needs SE_BACKUP_NAME.)


>   A Cygwin application's main thread is not running under the
> process token, but under a derived impersonation token.  This is true
> for every thread in Cygwin.  So, instead of using OpenProcessToken, you
> should be able to accomplish what you want by calling OpenThreadToken.
>   

Yes, it works, thanks!

Already tried this before but gave up too early, because it didn't work 
in the non-cygwin version ;-)
I didn't realize that the main thread has no token by default...


> However, I'm wondering if a Cygwin application should always try by
> itself to request the SE_BACKUP_NAME privilege.  It would simplify file
> access for all privileged processes.  Hmm.
>   

Sounds reasonable.
SE_RESTORE_NAME is requested somewhere in the code, but not SE_BACKUP_NAME.

Christian


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/