From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10058 invoked by alias); 22 Sep 2003 22:33:32 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 10046 invoked from network); 22 Sep 2003 22:33:31 -0000 Received: from unknown (HELO ns2.prospeed.net) (12.46.111.140) by sources.redhat.com with SMTP; 22 Sep 2003 22:33:31 -0000 Received: from enterprise-e.cygwin.com ([12.46.110.44]) by ns2.prospeed.net (8.12.10/8.12.8) with ESMTP id h8MMeGsI012085; Mon, 22 Sep 2003 18:40:16 -0400 Reply-To: Cygwin List Message-Id: <5.1.0.14.0.20030922180938.02f0d300@127.0.0.1> X-Sender: Date: Mon, 22 Sep 2003 22:33:00 -0000 To: "Chris Rodgers" , From: Larry Hall Subject: Re: ntsec: changing the everyone user In-Reply-To: <050e01c3814f$bd8511c0$ac3e4381@chrismob> References: <5.1.0.14.0.20030915104435.027cf828@127.0.0.1> <04ce01c37ba7$5b1e67a0$a500000a@chrismob> <20030915171438.GK9981@cygbert.vinschen.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-SW-Source: 2003-09/txt/msg01420.txt.bz2 At 05:23 PM 9/22/2003, Chris Rodgers you wrote: >> On Mon, Sep 15, 2003 at 05:35:20PM +0100, Chris Rodgers wrote: >> > OK. Here is an example of the way permissions leak out to "Everyone". I >> > create a new file, with no permissions granted to "other". Cygwin shows >this >> > to have worked OK. Yet in actual fact there is an ACL there giving >Everyone >> > some access rights. I usually choose not to have "Everyone" authorised >to do >> > anything on my Windows NT/2000 boxes, using Authorised Users instead. >This >> > way, without a valid login, you cannot get any information, including >> > usernames and ACLs. >> > >> > How can I stop cygwin setting these ACLs? >> >> Did you have a close look to the access rights granted to everyone? >> Otherwise, just don't use ntsec. >> >> Corinna >> >> > [...] >> > Everyone:(special access:) >> > READ_CONTROL >> > FILE_READ_EA >> > FILE_READ_ATTRIBUTES >> > >For the archives (NOT for release :-)), I think that a quick hack is to >redefine well_known_world_sid in src/winsup/cygwin/sec_helper.cc to be >"S-1-5-11" instead of "S-1-1-0". This refers to the "Authorized Users" >well-known group, instead of to "Everyone". Glad you found a resolution to this for your own needs but I have to say I'm with Corinna. I don't see how giving everyone read access to the security descriptor/attributes/extended attributes is a problem. The file still can't be accessed unless that information says that it can for the current user. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 838 Washington Street (508) 893-9889 - FAX Holliston, MA 01746 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/