* ntsec: changing the everyone user
@ 2003-09-15 11:58 Chris Rodgers
2003-09-15 14:56 ` Larry Hall
0 siblings, 1 reply; 6+ messages in thread
From: Chris Rodgers @ 2003-09-15 11:58 UTC (permalink / raw)
To: cygwin
Hi
I have hunted on the web for a while trying to find a solution, but to no
avail. If any of you can help me, I'd appreciate it.
I am using Cygwin on Windows 2000 with the NTsec permissions enabled on an
NTFS volume. My problem is that some of the Cygwin tools I use require
certain files to be world readable or even world read-writable. Currently,
this translates to giving the "Everyone" user read or even read-write access
within C:\cygwin. Is there a way to map the unix "other" permissions onto a
different Windows 2000 user/group in order to close up this security hole?
Yours
Chris Rodgers
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ntsec: changing the everyone user
2003-09-15 11:58 ntsec: changing the everyone user Chris Rodgers
@ 2003-09-15 14:56 ` Larry Hall
2003-09-15 16:35 ` Chris Rodgers
0 siblings, 1 reply; 6+ messages in thread
From: Larry Hall @ 2003-09-15 14:56 UTC (permalink / raw)
To: Chris Rodgers, cygwin
At 07:58 AM 9/15/2003, Chris Rodgers you wrote:
>Hi
>
>I have hunted on the web for a while trying to find a solution, but to no
>avail. If any of you can help me, I'd appreciate it.
>
>I am using Cygwin on Windows 2000 with the NTsec permissions enabled on an
>NTFS volume. My problem is that some of the Cygwin tools I use require
>certain files to be world readable or even world read-writable. Currently,
>this translates to giving the "Everyone" user read or even read-write access
>within C:\cygwin. Is there a way to map the unix "other" permissions onto a
>different Windows 2000 user/group in order to close up this security hole?
What Cygwin tools are causing you this perceived problem? I don't think
that you could solve the issue you have with your proposed solution. But
I'm also not convinced that you have the problem you think you do, at least
not without more information about what you're doing and seeing. See
<http://cygwin.com/problems.html>
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
838 Washington Street (508) 893-9889 - FAX
Holliston, MA 01746
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ntsec: changing the everyone user
2003-09-15 14:56 ` Larry Hall
@ 2003-09-15 16:35 ` Chris Rodgers
2003-09-15 17:14 ` Corinna Vinschen
0 siblings, 1 reply; 6+ messages in thread
From: Chris Rodgers @ 2003-09-15 16:35 UTC (permalink / raw)
To: Cygwin List
OK. Here is an example of the way permissions leak out to "Everyone". I
create a new file, with no permissions granted to "other". Cygwin shows this
to have worked OK. Yet in actual fact there is an ACL there giving Everyone
some access rights. I usually choose not to have "Everyone" authorised to do
anything on my Windows NT/2000 boxes, using Authorised Users instead. This
way, without a valid login, you cannot get any information, including
usernames and ACLs.
How can I stop cygwin setting these ACLs?
[628 chris-mob /]$ umask
0007
[629 chris-mob /]$ touch delme
[630 chris-mob /]$ ls -al delme
-rw-rw---- 1 Administ wheel 0 Sep 15 17:31 delme
[631 chris-mob /]$ getfacl delme
# file: delme
# owner: Administrator
# group: wheel
user::rw-
group::rw-
mask:rwx
other:---
[632 chris-mob /]$ cacls delme
C:\cygwin\delme CHRIS-MOB\Administrator:(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
BUILTIN\Administrators:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Everyone:(special access:)
READ_CONTROL
FILE_READ_EA
FILE_READ_ATTRIBUTES
[633 chris-mob /]$
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ntsec: changing the everyone user
2003-09-15 16:35 ` Chris Rodgers
@ 2003-09-15 17:14 ` Corinna Vinschen
2003-09-22 22:33 ` Chris Rodgers
0 siblings, 1 reply; 6+ messages in thread
From: Corinna Vinschen @ 2003-09-15 17:14 UTC (permalink / raw)
To: Cygwin List
On Mon, Sep 15, 2003 at 05:35:20PM +0100, Chris Rodgers wrote:
> OK. Here is an example of the way permissions leak out to "Everyone". I
> create a new file, with no permissions granted to "other". Cygwin shows this
> to have worked OK. Yet in actual fact there is an ACL there giving Everyone
> some access rights. I usually choose not to have "Everyone" authorised to do
> anything on my Windows NT/2000 boxes, using Authorised Users instead. This
> way, without a valid login, you cannot get any information, including
> usernames and ACLs.
>
> How can I stop cygwin setting these ACLs?
Did you have a close look to the access rights granted to everyone?
Otherwise, just don't use ntsec.
Corinna
> [...]
> Everyone:(special access:)
> READ_CONTROL
> FILE_READ_EA
> FILE_READ_ATTRIBUTES
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ntsec: changing the everyone user
2003-09-15 17:14 ` Corinna Vinschen
@ 2003-09-22 22:33 ` Chris Rodgers
2003-09-22 22:33 ` Larry Hall
0 siblings, 1 reply; 6+ messages in thread
From: Chris Rodgers @ 2003-09-22 22:33 UTC (permalink / raw)
To: cygwin
> On Mon, Sep 15, 2003 at 05:35:20PM +0100, Chris Rodgers wrote:
> > OK. Here is an example of the way permissions leak out to "Everyone". I
> > create a new file, with no permissions granted to "other". Cygwin shows
this
> > to have worked OK. Yet in actual fact there is an ACL there giving
Everyone
> > some access rights. I usually choose not to have "Everyone" authorised
to do
> > anything on my Windows NT/2000 boxes, using Authorised Users instead.
This
> > way, without a valid login, you cannot get any information, including
> > usernames and ACLs.
> >
> > How can I stop cygwin setting these ACLs?
>
> Did you have a close look to the access rights granted to everyone?
> Otherwise, just don't use ntsec.
>
> Corinna
>
> > [...]
> > Everyone:(special access:)
> > READ_CONTROL
> > FILE_READ_EA
> > FILE_READ_ATTRIBUTES
>
For the archives (NOT for release :-)), I think that a quick hack is to
redefine well_known_world_sid in src/winsup/cygwin/sec_helper.cc to be
"S-1-5-11" instead of "S-1-1-0". This refers to the "Authorized Users"
well-known group, instead of to "Everyone".
Chris.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ntsec: changing the everyone user
2003-09-22 22:33 ` Chris Rodgers
@ 2003-09-22 22:33 ` Larry Hall
0 siblings, 0 replies; 6+ messages in thread
From: Larry Hall @ 2003-09-22 22:33 UTC (permalink / raw)
To: Chris Rodgers, cygwin
At 05:23 PM 9/22/2003, Chris Rodgers you wrote:
>> On Mon, Sep 15, 2003 at 05:35:20PM +0100, Chris Rodgers wrote:
>> > OK. Here is an example of the way permissions leak out to "Everyone". I
>> > create a new file, with no permissions granted to "other". Cygwin shows
>this
>> > to have worked OK. Yet in actual fact there is an ACL there giving
>Everyone
>> > some access rights. I usually choose not to have "Everyone" authorised
>to do
>> > anything on my Windows NT/2000 boxes, using Authorised Users instead.
>This
>> > way, without a valid login, you cannot get any information, including
>> > usernames and ACLs.
>> >
>> > How can I stop cygwin setting these ACLs?
>>
>> Did you have a close look to the access rights granted to everyone?
>> Otherwise, just don't use ntsec.
>>
>> Corinna
>>
>> > [...]
>> > Everyone:(special access:)
>> > READ_CONTROL
>> > FILE_READ_EA
>> > FILE_READ_ATTRIBUTES
>>
>
>For the archives (NOT for release :-)), I think that a quick hack is to
>redefine well_known_world_sid in src/winsup/cygwin/sec_helper.cc to be
>"S-1-5-11" instead of "S-1-1-0". This refers to the "Authorized Users"
>well-known group, instead of to "Everyone".
Glad you found a resolution to this for your own needs but I have to say
I'm with Corinna. I don't see how giving everyone read access to the
security descriptor/attributes/extended attributes is a problem. The
file still can't be accessed unless that information says that it can
for the current user.
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
838 Washington Street (508) 893-9889 - FAX
Holliston, MA 01746
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-09-22 22:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-09-15 11:58 ntsec: changing the everyone user Chris Rodgers
2003-09-15 14:56 ` Larry Hall
2003-09-15 16:35 ` Chris Rodgers
2003-09-15 17:14 ` Corinna Vinschen
2003-09-22 22:33 ` Chris Rodgers
2003-09-22 22:33 ` Larry Hall
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).