Re: About the 'su' command

[Brian Dessent <brian at dessent dot net>]

Brian.Kelly@empireblue.com wrote:
> 
> >> Why rewrite 'su' to do those types of tricks, when 'ssh' already exists?
> 
> Uhhh - how about "script portability??"
> 
> (Which is why I predict su will "someday" be made to do this. When??
> Simple,
>  When somebody does it .... ) [ I ain't demand'in nothin from nobody ]
> 
> Brian Kelly

Microsoft has a su utility in one of their NT resource kits:


----8<----
Usage: 

su <user> "[cmdline]" [domain] [[winsta\]desktop] [options]

<user>
The first non-switch argument is the username for the new process.
This is the only required argument.

"[cmdline]"
The second non-switch argument is the command line to execute as <user>.
This argument is optional.  If it is not specified, the default command
processor specified in the environment variable %comspec% is executed.

[domain]
The third non-switch argument is the domain name for the target user.
This argument is optional.  If it is not specified, default domain
lookup will occur.  In this case the domain lookup is executed in the
following order, until the domain for the target user is found:
  Well-known, built-in, local accounts, primary domain, trusted domains
Specifying "." as the domain limits the search for the user account to
the local computer.
Not specifying a domain causes account lookup in the following order:
  Well-known, built-in, local accounts, primary domain, trusted domains.

[[winsta\]desktop]
The fourth non-switch argument is the target windowstation and desktop
for the new process.
This argument is optional.
Winsta0\Default is the user default interactive Windowstation and
desktop.
This argument can be specified with only the desktop name.  Not
specifying a windowstation name causes the process to run on the current
windowstation in the supplied desktop.  When specifying a windowstation,
the windowstation and desktop pair must be delimited as follows:     
"windowstationname\desktopname"
Not specifying any desktop for the new process causes the process to run
on the same windowstation and desktop from which SU was launched,
launching a child on the current Winsta\Desktop.


[options]
One or more option switches, also called flags, can be specified in any
order, anywhere on the command line.  All switches are optional.


-cb
Do not create new console.
If the new process is a console process, it inherits the console of the
caller.
This option should not be combined with -w when starting console
applications.  Furthermore, the password should not be supplied when
redirecting passwords when starting console applications.
This switch should not be used with redirected passwords.

-dn
Do not switch to new desktop.
If the new process is set to run on a desktop which differs from the
current desktop, the default behavior is to switch to the new desktop,
making the new desktop active and bringing it to the foreground.  This
option overrides the default and prevents switching to the new desktop.
Note that SU does not return until the new process exits, unless the -w
switch is specified.

-e
Disable environment preparation.
The parent environment is inherited. 
This option prevents preparation of the user environment for the new
process, instead causing the environment to be inherited from SU.

-l
Disable loading of the user Registry hive.
.Default is used instead.
This option prevents loading of the user Registry hive for the target
user.
If the hive happens to be loaded for the target user, the new process
behaves the same way with HKEY_CURRENT_USER that it would if -l were not
specified.  If -l is specified without -e, a user default environment is
created for the new process, as opposed to creating a user-specific
environment for the new process.

-v
Display verbose output to STDOUT (standard output).
This option displays details related to the creation of the new process.

-w
Do not wait on child.
The Registry hive remains loaded.
When this option is specified, SU does not wait for the new process to
exit before returning to the caller.  This means that SU cannot unload
the user Registry hive for the target user if a hive was loaded on
behalf of that user.
This flag should not be combined with the -cb flag when starting a
console-based application; if it is, console output is intermixed.


One of the following logon types may also be specified as an option. 
The default type is interactive.

-b
Batch
The target user must possess the SeBatchLogonRight logon type.
This logon type is not used by Microsoft, but is available for use in
custom applications.

-i
Interactive
The target user must possess the SeInteractiveLogonRight logon type.
This is the same logon type that occurs when a user physically logs onto
a computer running Windows NT Workstation or Windows NT Server.

-s
Service
The target user must possess the SeServiceLogonRight logon type.
The logon type is for service style logons performed by the service
control manager.

-n
Network
The target user must possess the SeNetworkLogonRight logon type.
This logon type is for network-style logons, such as impersonation over
named pipes or connection over shares.  Such a logon can be useful for
testing network user access to resources on the local computer.
This option is supported only on the Windows NT 4.0 platform.

----8<----

If su is needed it seems to me like one should just use MS's tool.  Am I
missing something?

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/