Re: [PATCH setup] Add new option --chown-admin

public inbox for cygwin-apps@cygwin.com
 help / color / mirror / Atom feed

From: Christian Franke <Christian.Franke@t-online.de>
To: "cygwin-apps@cygwin.com" <cygwin-apps@cygwin.com>
Subject: Re: [PATCH setup] Add new option --chown-admin
Date: Wed, 6 Jul 2022 18:34:58 +0200	[thread overview]
Message-ID: <e7e0a117-1f85-a59c-5654-010652be5044@t-online.de> (raw)
In-Reply-To: <405df5c6-ce47-0254-ae4d-4a23ff3533d5@dronecode.org.uk>

Jon Turney wrote:
> On 06/07/2022 08:14, Christian Franke wrote:
>> If an installer is run elevated, the installed files will be 
>> typically owned by the local administrator (or in some cases SYSTEM 
>> or TrustedInstaller) instead of the current user. This is not the 
>> case for a Cygwin "All Users" installation. The files are then not 
>> protected from 
>
> ... instead the files are owned by the user running setup?

Yes, because the TokenUser is unconditionally copied to TokenOwner. Some 
research with 'git blame' shows that many parts of the related code are 
from the early days of UAC and elevated processes (Vista 2006, Win7 
2009). Things may have changed since then, I don't know (or remember).

If a process is run elevated, Windows keeps TokenUser unchanged but sets 
the TokenOwner to local administrator. The --chown-admin option simply 
keeps this as is, so no actual chown() is needed later. The 
TokenPrimaryGroup is not changed by Windows, therefore --chown-admin 
calls setAdminGroup() to mimic the usual "root root" ownership.

Typical simple installers leave everything as is, so the installed files 
are owned by local adminstrator and group "None" (S-1-5-21-*-513), see 
'ls -l "$PROGRAMFILES"'.

>> accidental changes by this user.
>>
>> The attached patch adds an experimental --chown-admin option which 
>> allows (new) installations owned by local administrator user and group.
>
> Thanks for the patch, but...
>
>> A drawback is that files generated by postinstall scripts are still 
>> owned by current user + "None" group. It should be possible to fix 
>> this with some perpetual preremove+postinstall scripts.
>>
>> I also don't know whether this may break some postinstall scripts.
>>
>> BTW: 'nt_sec.setDefaultSecurity (isAdmin)' is never called with 
>> 'isAdmin==true' as 'root_scope' is always 0.
>
> root_scope is set later, by the "Install For" option on the "Select 
> Root Install Directory" page.
>
> To me, this looks like a (very long standing) bug that we shouldn't be 
> calling setAdminGroup() here, but after root_scope has been set.

If this bug is very old, I'm not sure whether this should be fixed. 
Setting admin group to files which are owned "only" by current user is 
possibly not very effective.

next prev parent reply	other threads:[~2022-07-06 16:35 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-06  7:14 Christian Franke
2022-07-06 13:53 ` Jon Turney
2022-07-06 16:34   ` Christian Franke [this message]
2022-07-07 11:38     ` Jon Turney
2022-07-07 14:45       ` Christian Franke
2022-07-07 14:59         ` Christian Franke
     [not found]         ` <d7d51d1c-f6d5-2fac-3e6d-86714efd0734@dronecode.org.uk>
     [not found]           ` <32655945-5075-0823-2a1d-b72caa4b7791@t-online.de>
2022-07-12 12:50             ` Jon Turney
2022-08-23 15:20               ` Jon Turney
2022-08-23 17:27                 ` Christian Franke
2022-08-26 13:27                   ` Jon Turney
2022-08-26 15:02                     ` Christian Franke
2022-08-28 17:33                       ` Christian Franke
2022-09-02 13:56                         ` Jon Turney
2022-09-02 15:17                           ` Christian Franke
2022-09-15 17:45                             ` Jon Turney
2022-10-04 12:05                               ` Christian Franke
2022-11-29 21:37                                 ` Jon Turney
2022-11-30 18:49                                   ` Christian Franke

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e7e0a117-1f85-a59c-5654-010652be5044@t-online.de \
    --to=christian.franke@t-online.de \
    --cc=cygwin-apps@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).