* winsymlinks:nativestrict and Windows 10 @ 2019-03-19 12:35 Andrey Repin 2019-03-19 14:23 ` LRN 0 siblings, 1 reply; 5+ messages in thread From: Andrey Repin @ 2019-03-19 12:35 UTC (permalink / raw) To: All Greetings, All! Can someone shed some light, please? It's not a secret that in earlier Windows versions members of Administrators group require elevated shell to create symlinks. Win10 is supposed to be easier, but all I've found was pointing to some obscure "developer mode". I wonder if it is possible to add some permission to the account instead and call it a day? -- With best regards, Andrey Repin Tuesday, March 19, 2019 15:19:34 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: winsymlinks:nativestrict and Windows 10 2019-03-19 12:35 winsymlinks:nativestrict and Windows 10 Andrey Repin @ 2019-03-19 14:23 ` LRN 2019-03-19 15:16 ` Frank Redeker 2019-03-19 17:20 ` Andrey Repin 0 siblings, 2 replies; 5+ messages in thread From: LRN @ 2019-03-19 14:23 UTC (permalink / raw) To: cygwin [-- Attachment #1.1: Type: text/plain, Size: 1980 bytes --] On 19.03.2019 15:23, Andrey Repin wrote: > It's not a secret that in earlier Windows versions members of Administrators > group require elevated shell to create symlinks. > Win10 is supposed to be easier, but all I've found was pointing to some > obscure "developer mode". Newer Windows 10 added a feature where passing a certain flag (SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE) to a W32 API function that creates symlink (CreateSymbolicLinkW) allows you to create symlinks without being Administrator. This flag only works if you put Windows into developer mode (you can toggle this in Settings->Update & Security->For developers). Newer versions of Cygwin know about this flag, and will always try to use it. Ironically, some programs built into Windows do *not* use this flag, and will continue to fail to create symlinks. Similarly, old versions of Cygwin or, really, any Windows (MinGW/MSVC) program that does symlinks, will not be able to use it, since they are not passing that flag. Any program that uses Cygwin runtime will automatically benefit from this feature if Cygwin runtime itself is new enough, since programs built against Cygwin just call `symlink()` and don't have to know anything about implementation details. > I wonder if it is possible to add some permission to the account instead and > call it a day? > Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to create symlinks without being Administrator (that i know of). You can't just give some extra privileges to your non-administrator account. I know, i've tried. Do note that this still doesn't fix the fundamental problem of NTFS symlinks being either files or directories, but not both at the same time, unlike symlink on other filesystems that have "dynamic" type and thus can be files or directories depending on what they are pointing to at any given moment. But you must already know what, since you're using nativestrict. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: winsymlinks:nativestrict and Windows 10 2019-03-19 14:23 ` LRN @ 2019-03-19 15:16 ` Frank Redeker 2019-03-19 16:57 ` Corinna Vinschen 2019-03-19 17:20 ` Andrey Repin 1 sibling, 1 reply; 5+ messages in thread From: Frank Redeker @ 2019-03-19 15:16 UTC (permalink / raw) To: cygwin Am 19.03.2019 um 15:23 schrieb LRN: > ... SNIP ... > > Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to > create symlinks without being Administrator (that i know of). You can't just > give some extra privileges to your non-administrator account. I know, i've tried. On Windows 10 Pro (1809) this works for me for with a non-administrator account. I just added the SeCreateSymbolicLinkPrivilege to my normal user account and was able to use mklink without any problems. Frank -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: winsymlinks:nativestrict and Windows 10 2019-03-19 15:16 ` Frank Redeker @ 2019-03-19 16:57 ` Corinna Vinschen 0 siblings, 0 replies; 5+ messages in thread From: Corinna Vinschen @ 2019-03-19 16:57 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 1174 bytes --] On Mar 19 16:16, Frank Redeker wrote: > Am 19.03.2019 um 15:23 schrieb LRN: > > ... SNIP ... > > > > Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to > > create symlinks without being Administrator (that i know of). You can't just > > give some extra privileges to your non-administrator account. I know, i've tried. > > On Windows 10 Pro (1809) this works for me for with a non-administrator > account. > > I just added the SeCreateSymbolicLinkPrivilege to my normal user account > and was able to use mklink without any problems. This is indeed a solution since the permission to create native symlinks is coupled to this privilege and the Administrators group is the only one having this privilege by default. Unfortunately not everyone has the luxury to enable this privilege for the own account (domain users). Btw, there is another restriction with native symlinks, independent from user privileges, which is pretty puzzeling at first: https://blogs.msdn.microsoft.com/junfeng/2012/05/07/the-symbolic-link-cannot-be-followed-because-its-type-is-disabled/ Corinna -- Corinna Vinschen Cygwin Maintainer [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: winsymlinks:nativestrict and Windows 10 2019-03-19 14:23 ` LRN 2019-03-19 15:16 ` Frank Redeker @ 2019-03-19 17:20 ` Andrey Repin 1 sibling, 0 replies; 5+ messages in thread From: Andrey Repin @ 2019-03-19 17:20 UTC (permalink / raw) To: LRN, cygwin Greetings, LRN! > On 19.03.2019 15:23, Andrey Repin wrote: >> It's not a secret that in earlier Windows versions members of Administrators >> group require elevated shell to create symlinks. >> Win10 is supposed to be easier, but all I've found was pointing to some >> obscure "developer mode". > Newer Windows 10 added a feature where passing a certain flag > (SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE) to a W32 API function that > creates symlink (CreateSymbolicLinkW) allows you to create symlinks without > being Administrator. > This flag only works if you put Windows into developer mode (you can toggle > this in Settings->Update & Security->For developers). > Newer versions of Cygwin know about this flag, and will always try to use it. > Ironically, some programs built into Windows do *not* use this flag, and will > continue to fail to create symlinks. Similarly, old versions of Cygwin or, > really, any Windows (MinGW/MSVC) program that does symlinks, will not be able > to use it, since they are not passing that flag. Any program that uses Cygwin > runtime will automatically benefit from this feature if Cygwin runtime itself > is new enough, since programs built against Cygwin just call `symlink()` and > don't have to know anything about implementation details. >> I wonder if it is possible to add some permission to the account instead and >> call it a day? >> > Devmode + SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE is the only way to > create symlinks without being Administrator (that i know of). You can't just > give some extra privileges to your non-administrator account. I know, i've tried. > Do note that this still doesn't fix the fundamental problem of NTFS symlinks > being either files or directories, but not both at the same time, unlike > symlink on other filesystems that have "dynamic" type and thus can be files or > directories depending on what they are pointing to at any given moment. But you > must already know what, since you're using nativestrict. It's even worse than that. Windows 10 fully resolves symlinks BEFORE passing them to any application. Say, you want to start X:\Y\z which is a symlink to A:\B\c. On Win7, the command line will be X:\Y\z On Win10, it will be A:\B\c. All relative paths inside program will be relative to "A:\B". No way to have program mode switching by name, like it is often seen in *NIX. This shit completely ruined my setup. -- With best regards, Andrey Repin Tuesday, March 19, 2019 19:59:00 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-03-19 17:20 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-03-19 12:35 winsymlinks:nativestrict and Windows 10 Andrey Repin 2019-03-19 14:23 ` LRN 2019-03-19 15:16 ` Frank Redeker 2019-03-19 16:57 ` Corinna Vinschen 2019-03-19 17:20 ` Andrey Repin
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).