ntsec: changing the everyone user

ntsec: changing the everyone user

[Chris Rodgers]

Hi

I have hunted on the web for a while trying to find a solution, but to no
avail. If any of you can help me, I'd appreciate it.

I am using Cygwin on Windows 2000 with the NTsec permissions enabled on an
NTFS volume. My problem is that some of the Cygwin tools I use require
certain files to be world readable or even world read-writable. Currently,
this translates to giving the "Everyone" user read or even read-write access
within C:\cygwin. Is there a way to map the unix "other" permissions onto a
different Windows 2000 user/group in order to close up this security hole?

Yours

Chris Rodgers


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: ntsec: changing the everyone user

[Larry Hall]

At 07:58 AM 9/15/2003, Chris Rodgers you wrote:
>Hi
>
>I have hunted on the web for a while trying to find a solution, but to no
>avail. If any of you can help me, I'd appreciate it.
>
>I am using Cygwin on Windows 2000 with the NTsec permissions enabled on an
>NTFS volume. My problem is that some of the Cygwin tools I use require
>certain files to be world readable or even world read-writable. Currently,
>this translates to giving the "Everyone" user read or even read-write access
>within C:\cygwin. Is there a way to map the unix "other" permissions onto a
>different Windows 2000 user/group in order to close up this security hole?


What Cygwin tools are causing you this perceived problem?  I don't think
that you could solve the issue you have with your proposed solution.  But 
I'm also not convinced that you have the problem you think you do, at least
not without more information about what you're doing and seeing.  See 
<http://cygwin.com/problems.html>



--
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746                     


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: ntsec: changing the everyone user

[Chris Rodgers]

OK. Here is an example of the way permissions leak out to "Everyone". I
create a new file, with no permissions granted to "other". Cygwin shows this
to have worked OK. Yet in actual fact there is an ACL there giving Everyone
some access rights. I usually choose not to have "Everyone" authorised to do
anything on my Windows NT/2000 boxes, using Authorised Users instead. This
way, without a valid login, you cannot get any information, including
usernames and ACLs.

How can I stop cygwin setting these ACLs?

[628 chris-mob /]$ umask
0007
[629 chris-mob /]$ touch delme
[630 chris-mob /]$ ls -al delme
-rw-rw----    1 Administ wheel           0 Sep 15 17:31 delme
[631 chris-mob /]$ getfacl delme
# file: delme
# owner: Administrator
# group: wheel
user::rw-
group::rw-
mask:rwx
other:---
[632 chris-mob /]$ cacls delme
C:\cygwin\delme CHRIS-MOB\Administrator:(special access:)
                                        STANDARD_RIGHTS_ALL
                                        DELETE
                                        READ_CONTROL
                                        WRITE_DAC
                                        WRITE_OWNER
                                        SYNCHRONIZE
                                        STANDARD_RIGHTS_REQUIRED
                                        FILE_GENERIC_READ
                                        FILE_GENERIC_WRITE
                                        FILE_READ_DATA
                                        FILE_WRITE_DATA
                                        FILE_APPEND_DATA
                                        FILE_READ_EA
                                        FILE_WRITE_EA
                                        FILE_READ_ATTRIBUTES
                                        FILE_WRITE_ATTRIBUTES

                BUILTIN\Administrators:(special access:)
                                       READ_CONTROL
                                       SYNCHRONIZE
                                       FILE_GENERIC_READ
                                       FILE_GENERIC_WRITE
                                       FILE_READ_DATA
                                       FILE_WRITE_DATA
                                       FILE_APPEND_DATA
                                       FILE_READ_EA
                                       FILE_WRITE_EA
                                       FILE_READ_ATTRIBUTES
                                       FILE_WRITE_ATTRIBUTES

                Everyone:(special access:)
                         READ_CONTROL
                         FILE_READ_EA
                         FILE_READ_ATTRIBUTES


[633 chris-mob /]$


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: ntsec: changing the everyone user

[Corinna Vinschen]

On Mon, Sep 15, 2003 at 05:35:20PM +0100, Chris Rodgers wrote:
> OK. Here is an example of the way permissions leak out to "Everyone". I
> create a new file, with no permissions granted to "other". Cygwin shows this
> to have worked OK. Yet in actual fact there is an ACL there giving Everyone
> some access rights. I usually choose not to have "Everyone" authorised to do
> anything on my Windows NT/2000 boxes, using Authorised Users instead. This
> way, without a valid login, you cannot get any information, including
> usernames and ACLs.
> 
> How can I stop cygwin setting these ACLs?

Did you have a close look to the access rights granted to everyone?
Otherwise, just don't use ntsec.

Corinna

> [...]
>                 Everyone:(special access:)
>                          READ_CONTROL
>                          FILE_READ_EA
>                          FILE_READ_ATTRIBUTES

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: ntsec: changing the everyone user

[Chris Rodgers]

> On Mon, Sep 15, 2003 at 05:35:20PM +0100, Chris Rodgers wrote:
> > OK. Here is an example of the way permissions leak out to "Everyone". I
> > create a new file, with no permissions granted to "other". Cygwin shows
this
> > to have worked OK. Yet in actual fact there is an ACL there giving
Everyone
> > some access rights. I usually choose not to have "Everyone" authorised
to do
> > anything on my Windows NT/2000 boxes, using Authorised Users instead.
This
> > way, without a valid login, you cannot get any information, including
> > usernames and ACLs.
> >
> > How can I stop cygwin setting these ACLs?
>
> Did you have a close look to the access rights granted to everyone?
> Otherwise, just don't use ntsec.
>
> Corinna
>
> > [...]
> >                 Everyone:(special access:)
> >                          READ_CONTROL
> >                          FILE_READ_EA
> >                          FILE_READ_ATTRIBUTES
>

For the archives (NOT for release :-)), I think that a quick hack is to
redefine well_known_world_sid in src/winsup/cygwin/sec_helper.cc to be
"S-1-5-11" instead of "S-1-1-0". This refers to the "Authorized Users"
well-known group, instead of to "Everyone".

Chris.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: ntsec: changing the everyone user

[Larry Hall]

At 05:23 PM 9/22/2003, Chris Rodgers you wrote:
>> On Mon, Sep 15, 2003 at 05:35:20PM +0100, Chris Rodgers wrote:
>> > OK. Here is an example of the way permissions leak out to "Everyone". I
>> > create a new file, with no permissions granted to "other". Cygwin shows
>this
>> > to have worked OK. Yet in actual fact there is an ACL there giving
>Everyone
>> > some access rights. I usually choose not to have "Everyone" authorised
>to do
>> > anything on my Windows NT/2000 boxes, using Authorised Users instead.
>This
>> > way, without a valid login, you cannot get any information, including
>> > usernames and ACLs.
>> >
>> > How can I stop cygwin setting these ACLs?
>>
>> Did you have a close look to the access rights granted to everyone?
>> Otherwise, just don't use ntsec.
>>
>> Corinna
>>
>> > [...]
>> >                 Everyone:(special access:)
>> >                          READ_CONTROL
>> >                          FILE_READ_EA
>> >                          FILE_READ_ATTRIBUTES
>>
>
>For the archives (NOT for release :-)), I think that a quick hack is to
>redefine well_known_world_sid in src/winsup/cygwin/sec_helper.cc to be
>"S-1-5-11" instead of "S-1-1-0". This refers to the "Authorized Users"
>well-known group, instead of to "Everyone".


Glad you found a resolution to this for your own needs but I have to say
I'm with Corinna.  I don't see how giving everyone read access to the 
security descriptor/attributes/extended attributes is a problem.  The 
file still can't be accessed unless that information says that it can 
for the current user.


--
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746                     


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/