* sec_helper.cc (set_cygwin_privileges): Enable SE_DEBUG_PRIVILEGE, if

available. Add comments.
author: Corinna Vinschen <corinna@vinschen.de> 2010-04-15 21:17:59 +0400
committer: Corinna Vinschen <corinna@vinschen.de> 2010-04-15 21:17:59 +0400
commit: b873ce06860d4ec631c9135dabdea2b6b4446d6e (patch)
tree: 54fc4a26ebee87b8d5e586434e44c026b24ef574 /winsup/cygwin/sec_helper.cc
parent: f77f01db6510b313ce0f8e089ddb13c97a04f797 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc
index dc7b89fba..cab2feddb 100644
--- a/winsup/cygwin/sec_helper.cc
+++ b/winsup/cygwin/sec_helper.cc
@@ -425,8 +425,18 @@ out:
 void
 set_cygwin_privileges (HANDLE token)
 {
+  /* Setting these rights at process startup allows processes running under
+     user tokens which are in the administrstors group to have root-like
+     permissions. */
+  /* Allow to access all files, independent of their ACL settings. */
   set_privilege (token, SE_RESTORE_PRIVILEGE, true);
   set_privilege (token, SE_BACKUP_PRIVILEGE, true);
+  /* Allow full access to other user's processes. */
+  set_privilege (token, SE_DEBUG_PRIVILEGE, true);
+  /* Allow to create global shared memory.  This shouldn't be required since
+     Cygwin 1.7.  It uses its own subdirectories in the global NT namespace
+     which isn't affected by the SE_CREATE_GLOBAL_PRIVILEGE restriction.
+     Anyway, better safe than sorry. */
   if (wincap.has_create_global_privilege ())
     set_privilege (token, SE_CREATE_GLOBAL_PRIVILEGE, true);
 }
author	Corinna Vinschen <corinna@vinschen.de>	2010-04-15 21:17:59 +0400
committer	Corinna Vinschen <corinna@vinschen.de>	2010-04-15 21:17:59 +0400
commit	b873ce06860d4ec631c9135dabdea2b6b4446d6e (patch)
tree	54fc4a26ebee87b8d5e586434e44c026b24ef574 /winsup/cygwin/sec_helper.cc
parent	f77f01db6510b313ce0f8e089ddb13c97a04f797 (diff)