[13480] in bugtraq
Re: Graphiciizing su for NT WAS: RE: XML in IE 5.0
daemon@ATHENA.MIT.EDU (Jesper M. Johansson)
Fri Jan 21 16:28:45 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <002001bf6423$272b10f0$4d207aa8@bu.edu>
Date: Fri, 21 Jan 2000 10:21:12 -0500
Reply-To: "Jesper M. Johansson" <jjohanss@BU.EDU>
From: "Jesper M. Johansson" <jjohanss@BU.EDU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <15C3F2745BACD011BFCD0000F840E6D103150034@MCDC-ATL-1>
>It is possible to run 2 (or more) complete desktops as your self and
another
>user (like domain admin) with res kit utils. Most people have
mentioned the
>su included in the res kit, you just have to combine it with a desktop
>switcher like vdesk (also res kit). Switch to another desktop, run
explorer
>via su and viola a fully graphical environment (the first explorer run
>creates the desktop, and subsequent ones open file explorer windows)
There are several problems with vdesk. First, it is not terribly stable,
although for some uses, stable enough. The second problem is more
insidious:
>3. Open User Manager, select the local machine and add the following
rights
>to the user who will run vdesk (normally the standard user ID) .
> 1. "Act as part of the operating system"
> 2. "Increase quotas"
> 3. "Replace a process level token"
If I give a regular user these rights, I have defeated much of the
rationale for running as a regular user in the first place. That's the
larger problem. I want to be able to run as a highly unprivileged user,
not one that can act as the TCB.
Jesper
