winsymlinks:nativestrict and Windows 10

winsymlinks:nativestrict and Windows 10

[Andrey Repin]

Greetings, All!

Can someone shed some light, please?
It's not a secret that in earlier Windows versions members of Administrators
group require elevated shell to create symlinks.
Win10 is supposed to be easier, but all I've found was pointing to some
obscure "developer mode".
I wonder if it is possible to add some permission to the account instead and
call it a day?


-- 
With best regards,
Andrey Repin
Tuesday, March 19, 2019 15:19:34

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: winsymlinks:nativestrict and Windows 10

[LRN]

[-- Attachment #1.1: Type: text/plain, Size: 1980 bytes --]

On 19.03.2019 15:23, Andrey Repin wrote:
> It's not a secret that in earlier Windows versions members of Administrators
> group require elevated shell to create symlinks.
> Win10 is supposed to be easier, but all I've found was pointing to some
> obscure "developer mode".

Newer Windows 10 added a feature where passing a certain flag
(SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE) to a W32 API function that
creates symlink (CreateSymbolicLinkW) allows you to create symlinks without
being Administrator.

This flag only works if you put Windows into developer mode (you can toggle
this in Settings->Update & Security->For developers).

Newer versions of Cygwin know about this flag, and will always try to use it.

Ironically, some programs built into Windows do *not* use this flag, and will
continue to fail to create symlinks. Similarly, old versions of Cygwin or,
really, any Windows (MinGW/MSVC) program that does symlinks, will not be able
to use it, since they are not passing that flag. Any program that uses Cygwin
runtime will automatically benefit from this feature if Cygwin runtime itself
is new enough, since programs built against Cygwin just call `symlink()` and
don't have to know anything about implementation details.

> I wonder if it is possible to add some permission to the account instead and
> call it a day?
> 

Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to
create symlinks without being Administrator (that i know of). You can't just
give some extra privileges to your non-administrator account. I know, i've tried.

Do note that this still doesn't fix the fundamental problem of NTFS symlinks
being either files or directories, but not both at the same time, unlike
symlink on other filesystems that have "dynamic" type and thus can be files or
directories depending on what they are pointing to at any given moment. But you
must already know what, since you're using nativestrict.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: winsymlinks:nativestrict and Windows 10

[Frank Redeker]

Am 19.03.2019 um 15:23 schrieb LRN:
> ... SNIP ...
> 
> Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to
> create symlinks without being Administrator (that i know of). You can't just
> give some extra privileges to your non-administrator account. I know, i've tried.

On Windows 10 Pro (1809) this works for me for with a non-administrator
account.

I just added the SeCreateSymbolicLinkPrivilege to my normal user account
and was able to use mklink without any problems.


Frank

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: winsymlinks:nativestrict and Windows 10

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1174 bytes --]

On Mar 19 16:16, Frank Redeker wrote:
> Am 19.03.2019 um 15:23 schrieb LRN:
> > ... SNIP ...
> > 
> > Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to
> > create symlinks without being Administrator (that i know of). You can't just
> > give some extra privileges to your non-administrator account. I know, i've tried.
> 
> On Windows 10 Pro (1809) this works for me for with a non-administrator
> account.
> 
> I just added the SeCreateSymbolicLinkPrivilege to my normal user account
> and was able to use mklink without any problems.

This is indeed a solution since the permission to create native symlinks
is coupled to this privilege and the Administrators group is the only
one having this privilege by default.  Unfortunately not everyone has
the luxury to enable this privilege for the own account (domain users).

Btw, there is another restriction with native symlinks, independent from
user privileges,  which is pretty puzzeling at first:

https://blogs.msdn.microsoft.com/junfeng/2012/05/07/the-symbolic-link-cannot-be-followed-because-its-type-is-disabled/


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: winsymlinks:nativestrict and Windows 10

[Andrey Repin]

Greetings, LRN!

> On 19.03.2019 15:23, Andrey Repin wrote:
>> It's not a secret that in earlier Windows versions members of Administrators
>> group require elevated shell to create symlinks.
>> Win10 is supposed to be easier, but all I've found was pointing to some
>> obscure "developer mode".

> Newer Windows 10 added a feature where passing a certain flag
> (SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE) to a W32 API function that
> creates symlink (CreateSymbolicLinkW) allows you to create symlinks without
> being Administrator.

> This flag only works if you put Windows into developer mode (you can toggle
> this in Settings->Update & Security->For developers).

> Newer versions of Cygwin know about this flag, and will always try to use it.

> Ironically, some programs built into Windows do *not* use this flag, and will
> continue to fail to create symlinks. Similarly, old versions of Cygwin or,
> really, any Windows (MinGW/MSVC) program that does symlinks, will not be able
> to use it, since they are not passing that flag. Any program that uses Cygwin
> runtime will automatically benefit from this feature if Cygwin runtime itself
> is new enough, since programs built against Cygwin just call `symlink()` and
> don't have to know anything about implementation details.

>> I wonder if it is possible to add some permission to the account instead and
>> call it a day?
>> 

> Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to
> create symlinks without being Administrator (that i know of). You can't just
> give some extra privileges to your non-administrator account. I know, i've tried.

> Do note that this still doesn't fix the fundamental problem of NTFS symlinks
> being either files or directories, but not both at the same time, unlike
> symlink on other filesystems that have "dynamic" type and thus can be files or
> directories depending on what they are pointing to at any given moment. But you
> must already know what, since you're using nativestrict.

It's even worse than that. Windows 10 fully resolves symlinks BEFORE passing
them to any application.
Say, you want to start X:\Y\z which is a symlink to A:\B\c.
On Win7, the command line will be X:\Y\z
On Win10, it will be A:\B\c. All relative paths inside program will be
relative to "A:\B".
No way to have program mode switching by name, like it is often seen in *NIX.
This shit completely ruined my setup.


-- 
With best regards,
Andrey Repin
Tuesday, March 19, 2019 19:59:00

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple