public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
* winsymlinks:nativestrict and Windows 10
@ 2019-03-19 12:35 Andrey Repin
  2019-03-19 14:23 ` LRN
  0 siblings, 1 reply; 5+ messages in thread
From: Andrey Repin @ 2019-03-19 12:35 UTC (permalink / raw)
  To: All

Greetings, All!

Can someone shed some light, please?
It's not a secret that in earlier Windows versions members of Administrators
group require elevated shell to create symlinks.
Win10 is supposed to be easier, but all I've found was pointing to some
obscure "developer mode".
I wonder if it is possible to add some permission to the account instead and
call it a day?


-- 
With best regards,
Andrey Repin
Tuesday, March 19, 2019 15:19:34

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: winsymlinks:nativestrict and Windows 10
  2019-03-19 12:35 winsymlinks:nativestrict and Windows 10 Andrey Repin
@ 2019-03-19 14:23 ` LRN
  2019-03-19 15:16   ` Frank Redeker
  2019-03-19 17:20   ` Andrey Repin
  0 siblings, 2 replies; 5+ messages in thread
From: LRN @ 2019-03-19 14:23 UTC (permalink / raw)
  To: cygwin


[-- Attachment #1.1: Type: text/plain, Size: 1980 bytes --]

On 19.03.2019 15:23, Andrey Repin wrote:
> It's not a secret that in earlier Windows versions members of Administrators
> group require elevated shell to create symlinks.
> Win10 is supposed to be easier, but all I've found was pointing to some
> obscure "developer mode".

Newer Windows 10 added a feature where passing a certain flag
(SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE) to a W32 API function that
creates symlink (CreateSymbolicLinkW) allows you to create symlinks without
being Administrator.

This flag only works if you put Windows into developer mode (you can toggle
this in Settings->Update & Security->For developers).

Newer versions of Cygwin know about this flag, and will always try to use it.

Ironically, some programs built into Windows do *not* use this flag, and will
continue to fail to create symlinks. Similarly, old versions of Cygwin or,
really, any Windows (MinGW/MSVC) program that does symlinks, will not be able
to use it, since they are not passing that flag. Any program that uses Cygwin
runtime will automatically benefit from this feature if Cygwin runtime itself
is new enough, since programs built against Cygwin just call `symlink()` and
don't have to know anything about implementation details.

> I wonder if it is possible to add some permission to the account instead and
> call it a day?
> 

Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to
create symlinks without being Administrator (that i know of). You can't just
give some extra privileges to your non-administrator account. I know, i've tried.

Do note that this still doesn't fix the fundamental problem of NTFS symlinks
being either files or directories, but not both at the same time, unlike
symlink on other filesystems that have "dynamic" type and thus can be files or
directories depending on what they are pointing to at any given moment. But you
must already know what, since you're using nativestrict.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: winsymlinks:nativestrict and Windows 10
  2019-03-19 14:23 ` LRN
@ 2019-03-19 15:16   ` Frank Redeker
  2019-03-19 16:57     ` Corinna Vinschen
  2019-03-19 17:20   ` Andrey Repin
  1 sibling, 1 reply; 5+ messages in thread
From: Frank Redeker @ 2019-03-19 15:16 UTC (permalink / raw)
  To: cygwin

Am 19.03.2019 um 15:23 schrieb LRN:
> ... SNIP ...
> 
> Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to
> create symlinks without being Administrator (that i know of). You can't just
> give some extra privileges to your non-administrator account. I know, i've tried.

On Windows 10 Pro (1809) this works for me for with a non-administrator
account.

I just added the SeCreateSymbolicLinkPrivilege to my normal user account
and was able to use mklink without any problems.


Frank

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: winsymlinks:nativestrict and Windows 10
  2019-03-19 15:16   ` Frank Redeker
@ 2019-03-19 16:57     ` Corinna Vinschen
  0 siblings, 0 replies; 5+ messages in thread
From: Corinna Vinschen @ 2019-03-19 16:57 UTC (permalink / raw)
  To: cygwin

[-- Attachment #1: Type: text/plain, Size: 1174 bytes --]

On Mar 19 16:16, Frank Redeker wrote:
> Am 19.03.2019 um 15:23 schrieb LRN:
> > ... SNIP ...
> > 
> > Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to
> > create symlinks without being Administrator (that i know of). You can't just
> > give some extra privileges to your non-administrator account. I know, i've tried.
> 
> On Windows 10 Pro (1809) this works for me for with a non-administrator
> account.
> 
> I just added the SeCreateSymbolicLinkPrivilege to my normal user account
> and was able to use mklink without any problems.

This is indeed a solution since the permission to create native symlinks
is coupled to this privilege and the Administrators group is the only
one having this privilege by default.  Unfortunately not everyone has
the luxury to enable this privilege for the own account (domain users).

Btw, there is another restriction with native symlinks, independent from
user privileges,  which is pretty puzzeling at first:

https://blogs.msdn.microsoft.com/junfeng/2012/05/07/the-symbolic-link-cannot-be-followed-because-its-type-is-disabled/


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: winsymlinks:nativestrict and Windows 10
  2019-03-19 14:23 ` LRN
  2019-03-19 15:16   ` Frank Redeker
@ 2019-03-19 17:20   ` Andrey Repin
  1 sibling, 0 replies; 5+ messages in thread
From: Andrey Repin @ 2019-03-19 17:20 UTC (permalink / raw)
  To: LRN, cygwin

Greetings, LRN!

> On 19.03.2019 15:23, Andrey Repin wrote:
>> It's not a secret that in earlier Windows versions members of Administrators
>> group require elevated shell to create symlinks.
>> Win10 is supposed to be easier, but all I've found was pointing to some
>> obscure "developer mode".

> Newer Windows 10 added a feature where passing a certain flag
> (SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE) to a W32 API function that
> creates symlink (CreateSymbolicLinkW) allows you to create symlinks without
> being Administrator.

> This flag only works if you put Windows into developer mode (you can toggle
> this in Settings->Update & Security->For developers).

> Newer versions of Cygwin know about this flag, and will always try to use it.

> Ironically, some programs built into Windows do *not* use this flag, and will
> continue to fail to create symlinks. Similarly, old versions of Cygwin or,
> really, any Windows (MinGW/MSVC) program that does symlinks, will not be able
> to use it, since they are not passing that flag. Any program that uses Cygwin
> runtime will automatically benefit from this feature if Cygwin runtime itself
> is new enough, since programs built against Cygwin just call `symlink()` and
> don't have to know anything about implementation details.

>> I wonder if it is possible to add some permission to the account instead and
>> call it a day?
>> 

> Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to
> create symlinks without being Administrator (that i know of). You can't just
> give some extra privileges to your non-administrator account. I know, i've tried.

> Do note that this still doesn't fix the fundamental problem of NTFS symlinks
> being either files or directories, but not both at the same time, unlike
> symlink on other filesystems that have "dynamic" type and thus can be files or
> directories depending on what they are pointing to at any given moment. But you
> must already know what, since you're using nativestrict.

It's even worse than that. Windows 10 fully resolves symlinks BEFORE passing
them to any application.
Say, you want to start X:\Y\z which is a symlink to A:\B\c.
On Win7, the command line will be X:\Y\z
On Win10, it will be A:\B\c. All relative paths inside program will be
relative to "A:\B".
No way to have program mode switching by name, like it is often seen in *NIX.
This shit completely ruined my setup.


-- 
With best regards,
Andrey Repin
Tuesday, March 19, 2019 19:59:00

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2019-03-19 17:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-19 12:35 winsymlinks:nativestrict and Windows 10 Andrey Repin
2019-03-19 14:23 ` LRN
2019-03-19 15:16   ` Frank Redeker
2019-03-19 16:57     ` Corinna Vinschen
2019-03-19 17:20   ` Andrey Repin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).