diff options
| -rw-r--r-- | winsup/cygwin/ChangeLog | 5 | ||||
| -rw-r--r-- | winsup/cygwin/sec_helper.cc | 10 |
2 files changed, 15 insertions, 0 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 305660f6e..14fb8d4d1 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,8 @@ +2010-04-15 Corinna Vinschen <corinna@vinschen.de> + + * sec_helper.cc (set_cygwin_privileges): Enable SE_DEBUG_PRIVILEGE, if + available. Add comments. + 2010-04-13 Corinna Vinschen <corinna@vinschen.de> * fhandler_socket.cc (get_inet_addr): Only test the file for being a diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index dc7b89fba..cab2feddb 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -425,8 +425,18 @@ out: void set_cygwin_privileges (HANDLE token) { + /* Setting these rights at process startup allows processes running under + user tokens which are in the administrstors group to have root-like + permissions. */ + /* Allow to access all files, independent of their ACL settings. */ set_privilege (token, SE_RESTORE_PRIVILEGE, true); set_privilege (token, SE_BACKUP_PRIVILEGE, true); + /* Allow full access to other user's processes. */ + set_privilege (token, SE_DEBUG_PRIVILEGE, true); + /* Allow to create global shared memory. This shouldn't be required since + Cygwin 1.7. It uses its own subdirectories in the global NT namespace + which isn't affected by the SE_CREATE_GLOBAL_PRIVILEGE restriction. + Anyway, better safe than sorry. */ if (wincap.has_create_global_privilege ()) set_privilege (token, SE_CREATE_GLOBAL_PRIVILEGE, true); } |