This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF61E8.C12539D4 Content-Type: text/plain; charset="iso-8859-1" I'm running Win2K now, and the "run-as" command works fairly well. For most programs you have to enable this feature through the properties of a shortcut or directly on the properties of the exe. I log on as a non-privileged user, then when needed, issue a "run-as" command (right click), and run a process as a different user, in my case an admin account. The only problem is that you cannot run the shell in different user contexts. For example, if I have a privileged command window open, and a non-privileged explorer window open, I obvious cannot access restricted areas with explorer, but I can with the command prompt. However, if I issue a "start ." command from the command prompt, the resulting explorer window will revert back to a non privileged user. Not so good, but better than NT4, especially with IE5 (shiver...). NT4 had a similar command in the resource kit, but more difficult to use, called su.exe (surprise surprise). It was basically more pain than it was worth in my case. I don't think it's a terminal server offshoot, but perhaps both capabilities, terminal server and su.exe are derived from the same hacks in NT. As far as user preferences, they are handled just as UNIX would as far as I can tell. In unix, you can su in a shell and the environment is that of root, not the non priv user. Same in NT. I can't comment on disk cache or other process, however. Scott -----Original Message----- From: Darren Reed [mailto:avalonat_private] Sent: Monday, January 17, 2000 12:28 PM To: BUGTRAQat_private Subject: Re: XML in IE 5.0 In some mail from Ryan Russell, sie said: [...] > For Windows users, The MS guys gave an interesting talk at the NTBugtraq > Canada Day Party at Russ' house last year. NT2000 will include a feature that > is similar to su on unix, which will allow one to have different windows open > as different users on the same box... I believe it's an extension of the > terminal server concept. Anyway, once folks get NT2000, they should really > consider running their browsers as locked-down, non-priveledged users. > > I believe you can do the same on most modern unices now with judicious > use of su and xhost adjustments. Except that user preferences are no longer stored as being owned by *that* user (roaming profile problems anyone ?), per-user disk cache usage isn't associated with the correct user, etc. Can you really imagine 90% of Internet users being savvy enough to run a browser in an "su" window ? The other option here for M$ is to reinvent the setuid bit :-> Darren ------_=_NextPart_001_01BF61E8.C12539D4 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2448.0"> <TITLE>RE: XML in IE 5.0</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I'm running Win2K now, and the "run-as" = command works fairly well. For most programs you have to enable = this feature through the properties of a shortcut or directly on the = properties of the exe. I log on as a non-privileged user, then = when needed, issue a "run-as" command (right click), and run = a process as a different user, in my case an admin account. The = only problem is that you cannot run the shell in different user = contexts. For example, if I have a privileged command window = open, and a non-privileged explorer window open, I obvious cannot = access restricted areas with explorer, but I can with the command = prompt. However, if I issue a "start ." command from = the command prompt, the resulting explorer window will revert back to a = non privileged user. Not so good, but better than NT4, especially = with IE5 (shiver...).</FONT></P> <P><FONT SIZE=3D2>NT4 had a similar command in the resource kit, but = more difficult to use, called su.exe (surprise surprise). = It was basically more pain than it was worth in my case. I don't = think it's a terminal server offshoot, but perhaps both capabilities, = terminal server and su.exe are derived from the same hacks in = NT.</FONT></P> <P><FONT SIZE=3D2>As far as user preferences, they are handled just as = UNIX would as far as I can tell. In unix, you can su in a shell = and the environment is that of root, not the non priv user. Same = in NT. I can't comment on disk cache or other process, = however. </FONT></P> <P><FONT SIZE=3D2>Scott</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Darren Reed [<A = HREF=3D"mailto:avalonat_private">mailto:avalonat_private= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, January 17, 2000 12:28 PM</FONT> <BR><FONT SIZE=3D2>To: BUGTRAQat_private</FONT> <BR><FONT SIZE=3D2>Subject: Re: XML in IE 5.0</FONT> </P> <BR> <P><FONT SIZE=3D2>In some mail from Ryan Russell, sie said:</FONT> <BR><FONT SIZE=3D2>[...]</FONT> <BR><FONT SIZE=3D2>> For Windows users, The MS guys gave an = interesting talk at the NTBugtraq</FONT> <BR><FONT SIZE=3D2>> Canada Day Party at Russ' house last = year. NT2000 will include a feature that</FONT> <BR><FONT SIZE=3D2>> is similar to su on unix, which will allow one = to have different windows open</FONT> <BR><FONT SIZE=3D2>> as different users on the same box... I believe = it's an extension of the</FONT> <BR><FONT SIZE=3D2>> terminal server concept. Anyway, once = folks get NT2000, they should really</FONT> <BR><FONT SIZE=3D2>> consider running their browsers as locked-down, = non-priveledged users.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> I believe you can do the same on most modern = unices now with judicious</FONT> <BR><FONT SIZE=3D2>> use of su and xhost adjustments.</FONT> </P> <P><FONT SIZE=3D2>Except that user preferences are no longer stored as = being owned by *that*</FONT> <BR><FONT SIZE=3D2>user (roaming profile problems anyone ?), per-user = disk cache usage isn't</FONT> <BR><FONT SIZE=3D2>associated with the correct user, etc. Can you = really imagine 90% of</FONT> <BR><FONT SIZE=3D2>Internet users being savvy enough to run a browser = in an "su" window ?</FONT> <BR><FONT SIZE=3D2>The other option here for M$ is to reinvent the = setuid bit :-></FONT> </P> <P><FONT SIZE=3D2>Darren</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BF61E8.C12539D4--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:58 PDT