From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 20861 invoked by alias); 2 Nov 2013 18:42:19 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 20847 invoked by uid 89); 2 Nov 2013 18:42:18 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=4.5 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: smtpback.ht-systems.ru Received: from smtpback.ht-systems.ru (HELO smtpback.ht-systems.ru) (78.110.50.181) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-SHA encrypted) ESMTPS; Sat, 02 Nov 2013 18:42:18 +0000 Received: from [91.78.173.97] (helo=darkdragon.lan) by smtp.ht-systems.ru with esmtpa (Exim 4.80.1) (envelope-from ) id 1Vcfnt-0007SZ-IG; Sat, 02 Nov 2013 22:20:09 +0400 Received: from [192.168.1.10] (HELO daemon2.darkdragon.lan) by daemon2 (Office Mail Server 0.8.12 build 08053101) with SMTP; Sat, 02 Nov 2013 17:47:06 -0000 Date: Sat, 02 Nov 2013 18:42:00 -0000 From: Andrey Repin Reply-To: Andrey Repin Message-ID: <1709690551.20131102214706@mtu-net.ru> To: "Brian S. Wilson" , cygwin@cygwin.com Subject: Re: vi stealing SYSTEM-owned permissions and ownership In-Reply-To: References: <5274F396.A133C4CE@boland.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2013-11/txt/msg00029.txt.bz2 Greetings, Brian S. Wilson! >> I'm a Linux teacher at a school for vocational education in the Netherlands. >> I use Cyqwin to help my students overcome their fear of the command line by >> showing them their Windows systems through the eyes of Linux. > ... >> After a chgrp and chmod on the entire Apache folder, the "conf" directory >> looks like this: >> >> drwxrwx---+ 1 SYSTEM apache 0 28 okt 20:43 . >> drwxrwx---+ 1 SYSTEM apache 0 2 nov 13:10 .. >> -rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf >> -rwxrwx---+ 1 SYSTEM apache 34770 7 okt 23:29 httpd.default.conf >> -rwxrwx---+ 1 SYSTEM apache 13340 3 okt 07:59 magic >> -rwxrwx---+ 1 SYSTEM apache 13340 21 nov 2004 magic.default >> -rwxrwx---+ 1 SYSTEM apache 54599 3 okt 07:59 mime.types >> -rwxrwx---+ 1 SYSTEM apache 54599 17 mrt 2012 mime.types.default >> -rwxrwx---+ 1 SYSTEM apache 9390 5 feb 2013 openssl.cnf >> -rwxrwx---+ 1 SYSTEM apache 11050 3 okt 07:59 ssl.conf >> -rwxrwx---+ 1 SYSTEM apache 11030 7 okt 23:29 ssl.default.conf >> >>My students can now administer Apache without running Cygwin "As > administrator". > Your statement may not be quite accurate. The Cygwin Apache instance > appears to be running as the "SYSTEM" user since that is the file owner, but > your students can administer the files because they are members of the > "apache" group. I can't really tell which user id is running your Apache > process because I don't know how you are actually starting the Apache > process. Most production Apache instances do not run as the "root" user > since this is a security risk. > If my guess about the Apache process owner is correct, please make your > students aware that if someone hacks their Cygwin Apache servers, the hacker > may gain the same user access rights as the user id actually running the > Apache process. The Apache process owner would normally be a unique user > account with no login or access privileges to protect the server from > successful attacks (just because your Apache files are owned by "SYSTEM", > Apache could be started under another, less privileged, user id for better > protection; but it is common practice to have the file owner also be the > user id that normally executes the file). It is common to see a "nobody" > user as the owner of Apache in production systems. > I've spent some time over several years trying to figure out how to get > Apache working as a "nobody" user under Cygwin. I've never succeeded in > getting it to work properly, and my comments to this board have not yielded > an answered. I don't think it is possible to make Apache work this way > under Cygwin, but your students should be made aware of this difference. > If anyone is aware of how to get Apache working using a restricted "nobody" > user id under Cygwin, please respond (or start a new thread). I can't imagine alot of reasons to not use native Windows Apache server, which is much better adapted for running in Windows security environment. -- WBR, Andrey Repin (anrdaemon@yandex.ru) 02.11.2013, <21:44> Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple