Re: Windows 10 Creators Update and Symlinks

Re: Windows 10 Creators Update and Symlinks

[Till Riedel]

Hi all,

I was really excited to hear this!

I tried to export CYGWIN="winsymlinks:nativestrict" and create symlink 
without elevation and failed on cygwin 2.8.0 (checked that "cmd /C 
mklink" works as expected in Windows 10 Creators Update Developer Mode).

Any ideas if there are any extra checks that lead to "Operation not 
permitted"?

Windows seemingly even allows symlinks to nonexistent files (I somehow 
think there was a problem with that in the past). For me personally this 
would a strong reason to switch to real symlinks.


Best regards,

Till


Am 13.04.2017 um 0:29 schrieb Jeffrey Altman:
> When Developer mode is enabled the elevation requirement for symlink
> creation is disabled:
>
> https://blogs.windows.com/buildingapps/2016/12/02/symlinks-windows-10/#DXz6icKZOkEozgYR.97
>
> This was necessary for symlink creation within WSL to work.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Windows 10 Creators Update and Symlinks

[Brian Inglis]

On 2017-04-23 03:26, Till Riedel wrote:
> Am 13.04.2017 um 0:29 schrieb Jeffrey Altman:
>> When Developer mode is enabled the elevation requirement for
>> symlink creation is disabled:
>> https://blogs.windows.com/buildingapps/2016/12/02/symlinks-windows-10/#DXz6icKZOkEozgYR.97
>> This was necessary for symlink creation within WSL to work.

> I was really excited to hear this!
> I tried to export CYGWIN="winsymlinks:nativestrict" and create
> symlink without elevation and failed on cygwin 2.8.0 (checked that
> "cmd /C mklink" works as expected in Windows 10 Creators Update
> Developer Mode).
> Any ideas if there are any extra checks that lead to "Operation not
> permitted"?
> Windows seemingly even allows symlinks to nonexistent files (I
> somehow think there was a problem with that in the past). For me
> personally this would a strong reason to switch to real symlinks.

Artcile states:
CreateSymbolicLink
    To enable the new behavior when using the CreateSymbolicLink API, 
there is an additional dwFlags option you will need to set:

Value 	Meaning
SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
0x2 	Specify this flag to allow creation of symbolic links when the 
	process is not elevated

So Cygwin patches are required to winsymlinks:native/strict handling 
in winsup/w32api/include/winbase.h (which may be owned by mingw):

#define SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE 0x2

and in winsup/cygwin/path.cc(symlink_native) like:

/* Try to create native symlink. */
if (!CreateSymbolicLinkW (final_newpath->Buffer, final_oldpath->Buffer,
#ifdef SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
			  SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE |
#endif
			  (win32_oldpath.isdir ()
			     ? SYMBOLIC_LINK_FLAG_DIRECTORY : 0)))

but may need W10 build 14972 checks, and any privilege checks disabled.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Windows 10 Creators Update and Symlinks

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2570 bytes --]

On Apr 23 09:21, Brian Inglis wrote:
> On 2017-04-23 03:26, Till Riedel wrote:
> > Am 13.04.2017 um 0:29 schrieb Jeffrey Altman:
> >> When Developer mode is enabled the elevation requirement for
> >> symlink creation is disabled:
> >> https://blogs.windows.com/buildingapps/2016/12/02/symlinks-windows-10/#DXz6icKZOkEozgYR.97
> >> This was necessary for symlink creation within WSL to work.
> 
> > I was really excited to hear this!
> > I tried to export CYGWIN="winsymlinks:nativestrict" and create
> > symlink without elevation and failed on cygwin 2.8.0 (checked that
> > "cmd /C mklink" works as expected in Windows 10 Creators Update
> > Developer Mode).
> > Any ideas if there are any extra checks that lead to "Operation not
> > permitted"?
> > Windows seemingly even allows symlinks to nonexistent files (I
> > somehow think there was a problem with that in the past). For me
> > personally this would a strong reason to switch to real symlinks.
> 
> Artcile states:
> CreateSymbolicLink
>     To enable the new behavior when using the CreateSymbolicLink API, 
> there is an additional dwFlags option you will need to set:
> 
> Value 	Meaning
> SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
> 0x2 	Specify this flag to allow creation of symbolic links when the 
> 	process is not elevated
> 
> So Cygwin patches are required to winsymlinks:native/strict handling 
> in winsup/w32api/include/winbase.h (which may be owned by mingw):
> 
> #define SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE 0x2
> 
> and in winsup/cygwin/path.cc(symlink_native) like:
> 
> /* Try to create native symlink. */
> if (!CreateSymbolicLinkW (final_newpath->Buffer, final_oldpath->Buffer,
> #ifdef SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
> 			  SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE |
> #endif
> 			  (win32_oldpath.isdir ()
> 			     ? SYMBOLIC_LINK_FLAG_DIRECTORY : 0)))
> 
> but may need W10 build 14972 checks, and any privilege checks disabled.

Unfortunately the flag can't be used blindly because older versions of
Windows will return ERROR_INVALID_PARAMETER when adding this flag, so we
definitely need a version check.

I'm also running an Enterprise edition of W10 which didn't get the
Creator's update yet and the "Update Assistant" doesn't support the
Enterprise edition either.

I'm also going offline for all of May, so this might take a bit.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Windows 10 Creators Update and Symlinks

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2207 bytes --]

On Apr 24 11:09, Corinna Vinschen wrote:
> On Apr 23 09:21, Brian Inglis wrote:
> > On 2017-04-23 03:26, Till Riedel wrote:
> > > I was really excited to hear this!
> > > I tried to export CYGWIN="winsymlinks:nativestrict" and create
> > > symlink without elevation and failed on cygwin 2.8.0 (checked that
> > > "cmd /C mklink" works as expected in Windows 10 Creators Update
> > > Developer Mode).
> > > Any ideas if there are any extra checks that lead to "Operation not
> > > permitted"?
> > > Windows seemingly even allows symlinks to nonexistent files (I
> > > somehow think there was a problem with that in the past). For me
> > > personally this would a strong reason to switch to real symlinks.
> > [...]
> > if (!CreateSymbolicLinkW (final_newpath->Buffer, final_oldpath->Buffer,
> > #ifdef SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
> > 			  SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE |
> > #endif
> > 			  (win32_oldpath.isdir ()
> > 			     ? SYMBOLIC_LINK_FLAG_DIRECTORY : 0)))
> > [...]
> 
> Unfortunately the flag can't be used blindly because older versions of
> Windows will return ERROR_INVALID_PARAMETER when adding this flag, so we
> definitely need a version check.
> 
> I'm also running an Enterprise edition of W10 which didn't get the
> Creator's update yet and the "Update Assistant" doesn't support the
> Enterprise edition either.
> 
> I'm also going offline for all of May, so this might take a bit.

Having said that, I just added code to handle this new flag(*) and
uploaded new developer snapshots to https://cygwin.com/snapshots/

Please test.  What I'm especially interested in is this:

Assuming you're running W10 1703, and further assuming you did NOT
activate the developers option.  Running this in a non-elevated
shell:

  $ export CYGWIN="winsymlinks:nativestrict"
  $ ln -s foo bar

should always fail then, just like on previous versions of Windows.

The question is this: What error do you get?  "Permission denied" or
"Invalid argument"?


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Windows 10 Creators Update and Symlinks

[David Macek]

[-- Attachment #1: Type: text/plain, Size: 686 bytes --]

> ver
Microsoft Windows [Version 10.0.15063]

$ uname -a
CYGWIN_NT-10.0 mew 2.8.1(0.310/5/3)  x86_64 Cygwin

=== Developer mode DISabled, non-elevated Administrators account

> echo > foo
> mklink bar foo
You do not have sufficient privilege to perform this operation.

$ export CYGWIN="winsymlinks:nativestrict"
$ touch foo
$ ln -s foo bar
ln: failed to create symbolic link 'bar': Operation not permitted

=== Developer mode ENabled, non-elevated Administrators account

$ export CYGWIN="winsymlinks:nativestrict"
$ touch foo
$ ln -s foo bar
$ rm bar

> echo > foo
> mklink bar foo
symbolic link created for bar <<===>> foo
> del bar

-- 
David Macek


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3715 bytes --]

Re: Windows 10 Creators Update and Symlinks

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 702 bytes --]

On Apr 24 18:52, David Macek wrote:
> > ver
> Microsoft Windows [Version 10.0.15063]
> 
> $ uname -a
> CYGWIN_NT-10.0 mew 2.8.1(0.310/5/3)  x86_64 Cygwin
> 
> === Developer mode DISabled, non-elevated Administrators account
> 
> > echo > foo
> > mklink bar foo
> You do not have sufficient privilege to perform this operation.
> 
> $ export CYGWIN="winsymlinks:nativestrict"
> $ touch foo
> $ ln -s foo bar
> ln: failed to create symbolic link 'bar': Operation not permitted

EPERM?  That's fine, actually.


Thanks!


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Windows 10 Creators Update and Symlinks

[Thomas Wolff]

Am 13.04.2017 um 06:29 schrieb Jeffrey Altman:
> When Developer mode is enabled the elevation requirement for symlink
> creation is disabled:
>
> https://blogs.windows.com/buildingapps/2016/12/02/symlinks-windows-10/#DXz6icKZOkEozgYR.97
>
> This was necessary for symlink creation within WSL to work.
I understand that blog so that at the API, with the respective flag set, 
this would also work without the need to previously set developer mode.
Maybe something that cygwin could use?
Thomas

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Windows 10 Creators Update and Symlinks

[Jeffrey Altman]

[-- Attachment #1: Type: text/plain, Size: 254 bytes --]

When Developer mode is enabled the elevation requirement for symlink
creation is disabled:

https://blogs.windows.com/buildingapps/2016/12/02/symlinks-windows-10/#DXz6icKZOkEozgYR.97

This was necessary for symlink creation within WSL to work.



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4081 bytes --]