How to disable the default bypass of the ACL permissions checking in Cygwin

How to disable the default bypass of the ACL permissions checking in Cygwin

[Sandy]

Hi there,

We are from the NGO Centro de Autonomia Digital (CAD) based in Quito,
Ecuador. We have been using Msys2 to test our project Coyim
(http://github.com/coyim/coyim) in Windows environments.

The tests are currently running on GitHub Actions, using the Windows
Server 2019 Datacenter.

We have one specific test case that is failing because of interesting
behavior in Msys2. The full description of the issue is available at the
following link:

https://github.com/msys2/msys2-runtime/issues/45

Thanks to the help of one of the Msys2 developers, we found that Cygwin
bypasses the checking of the Windows ACL permissions when it runs with
administrative privileges.

We would like to know if it is possible to change this behavior of
Cygwin or at least have his point of view of how we could control the
permissions even in this scenario.

Thank you very much for your help on this, and thanks to all the team
behind the amazing Cygwin product.

Cheers.

Re: How to disable the default bypass of the ACL permissions checking in Cygwin

[Andrey Repin]

Greetings, Sandy!

> We are from the NGO Centro de Autonomia Digital (CAD) based in Quito,
> Ecuador. We have been using Msys2 to test our project Coyim
> (http://github.com/coyim/coyim) in Windows environments.

> The tests are currently running on GitHub Actions, using the Windows
> Server 2019 Datacenter.

> We have one specific test case that is failing because of interesting
> behavior in Msys2. The full description of the issue is available at the
> following link:

> https://github.com/msys2/msys2-runtime/issues/45

> Thanks to the help of one of the Msys2 developers, we found that Cygwin
> bypasses the checking of the Windows ACL permissions when it runs with
> administrative privileges.

That's literally not possible. More likely explanation is that Administrators
group have full access to the object in question.

Please provide the output from icacls and getfacl utilities.

> We would like to know if it is possible to change this behavior of
> Cygwin or at least have his point of view of how we could control the
> permissions even in this scenario.

Unless you can supply an adequate test case, this looks more like
misunderstanding of sort.


-- 
With best regards,
Andrey Repin
Tuesday, May 25, 2021 22:39:27

Sorry for my terrible english...

Re: How to disable the default bypass of the ACL permissions checking in Cygwin

[Achim Gratz]

Andrey Repin via Cygwin writes:
> That's literally not possible. More likely explanation is that Administrators
> group have full access to the object in question.

They don't.  The issue at hand is that Cygwin uses SeBackupPrivilege and
SeRestorePrivilege if otherwise the object in question would not be
accessible.  The moral of the story is to drop those privileges /
capabilities when you don't need them via cygdrop or just don't use an
administrative account that comes with them in the first place.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Samples for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra