Admin can read user file from bash, despite permissions

Admin can read user file from bash, despite permissions

[Gmane User]

I have a power user file that has go-rwx.  However, the administrator
account can "less" the contents from a bash command line.  This is
both logging onto Windows 2000 as admin, as well as ssh'ing in
(loopback) from the power user log-in session.  The administrator can
also "mv" the file to a different name, but it can't create a new file
in the same folder e.g. by "cp".

CACLS shows an extensive set of permissions for the power user owner,
but only READ_CONTROL, FILE_READ_EA, & FILE_READ_ATTRIBUTES for
LaptopName\None and Everyone.  I've come across nothing on the web
(yet) about a special privilege that allows administrators the level
of access that it seems to have.  In fact, if I just open up a DOS
shell as Administrator, I cannot "more" the said file.  So it seems to
be specific to Cygwin rather than Windows.

I've read up on ntsec in the Cygwin user guide, but nothing seems to
explain the admin access to the file.  However, it is new material to
me, so I might be missing it.  If the explanation is there, could
someone point to the particular paragraph, and perhaps elaborate on
how that explains the access I observe?  If the explanation isn't
there, what is the explanation?

Thanks.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Admin can read user file from bash, despite permissions

[Brian Dessent]

Gmane User wrote:

> CACLS shows an extensive set of permissions for the power user owner,
> but only READ_CONTROL, FILE_READ_EA, & FILE_READ_ATTRIBUTES for
> LaptopName\None and Everyone.  I've come across nothing on the web
> (yet) about a special privilege that allows administrators the level
> of access that it seems to have.  In fact, if I just open up a DOS
> shell as Administrator, I cannot "more" the said file.  So it seems to
> be specific to Cygwin rather than Windows.

Um: <http://cygwin.com/ml/cygwin/2008-04/msg00218.html>

This is the relevant part:

> Cygwin uses this to simulate the unix semantics of "root" (i.e. total
> access to anything regardless of permissions)

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Admin can read user file from bash, despite permissions

[Corinna Vinschen]

On Apr 10 04:19, Gmane User wrote:
> I have a power user file that has go-rwx.  However, the administrator
> account can "less" the contents from a bash command line.  This is
> both logging onto Windows 2000 as admin, as well as ssh'ing in
> (loopback) from the power user log-in session.  The administrator can
> also "mv" the file to a different name, but it can't create a new file
> in the same folder e.g. by "cp".
>
> CACLS shows an extensive set of permissions for the power user owner,
> but only READ_CONTROL, FILE_READ_EA, & FILE_READ_ATTRIBUTES for
> LaptopName\None and Everyone.  I've come across nothing on the web
> (yet) about a special privilege that allows administrators the level
> of access that it seems to have.  In fact, if I just open up a DOS
> shell as Administrator, I cannot "more" the said file.  So it seems to
> be specific to Cygwin rather than Windows.
> [...]
> what is the explanation?

The secret word for tonight is "Privileges".  See
http://msdn2.microsoft.com/en-us/library/bb530716(vs.85).aspx

Administrators have the SE_BACKUP_NAME privilege by default.  Cygwin
opens the files with the FILE_FLAG_BACKUP_SEMANTICS flag set, see
http://msdn2.microsoft.com/en-us/library/aa363858.aspx So, all accounts
with the backup privilege (usually admins and backup operators) can open
all files.  That's the same as with the "root" user on UNIX.

It does not work with the standard Windows tools, because these tools
don't open files with FILE_FLAG_BACKUP_SEMANTICS.  Sort of an
obfuscation, if you ask me.

cp doesn't work because the current release of Cygwin doesn't use
the FILE_FLAG_BACKUP_SEMANTICS flag in every necessary place so far.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Admin can read user file from bash, despite permissions

[Gmane User]

Brian Dessent wrote:
> Gmane User wrote:
> 
>> CACLS shows an extensive set of permissions for the power user owner,
>> but only READ_CONTROL, FILE_READ_EA, & FILE_READ_ATTRIBUTES for
>> LaptopName\None and Everyone.  I've come across nothing on the web
>> (yet) about a special privilege that allows administrators the level
>> of access that it seems to have.  In fact, if I just open up a DOS
>> shell as Administrator, I cannot "more" the said file.  So it seems to
>> be specific to Cygwin rather than Windows.
> 
> Um: <http://cygwin.com/ml/cygwin/2008-04/msg00218.html>
> 
> This is the relevant part:
> 
>> Cygwin uses this to simulate the unix semantics of "root" (i.e. total
>> access to anything regardless of permissions)


Thanks for reiterating, Brian.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Admin can read user file from bash, despite permissions

[Gmane User]

Corinna Vinschen wrote:
> On Apr 10 04:19, Gmane User wrote:
>> I have a power user file that has go-rwx.  However, the administrator
>> account can "less" the contents from a bash command line.  This is
>> both logging onto Windows 2000 as admin, as well as ssh'ing in
>> (loopback) from the power user log-in session.  The administrator can
>> also "mv" the file to a different name, but it can't create a new file
>> in the same folder e.g. by "cp".
>>
>> CACLS shows an extensive set of permissions for the power user owner,
>> but only READ_CONTROL, FILE_READ_EA, & FILE_READ_ATTRIBUTES for
>> LaptopName\None and Everyone.  I've come across nothing on the web
>> (yet) about a special privilege that allows administrators the level
>> of access that it seems to have.  In fact, if I just open up a DOS
>> shell as Administrator, I cannot "more" the said file.  So it seems to
>> be specific to Cygwin rather than Windows.
>> [...]
>> what is the explanation?
> 
> The secret word for tonight is "Privileges".  See
> http://msdn2.microsoft.com/en-us/library/bb530716(vs.85).aspx
> 
> Administrators have the SE_BACKUP_NAME privilege by default.  Cygwin
> opens the files with the FILE_FLAG_BACKUP_SEMANTICS flag set, see
> http://msdn2.microsoft.com/en-us/library/aa363858.aspx So, all accounts
> with the backup privilege (usually admins and backup operators) can open
> all files.  That's the same as with the "root" user on UNIX.
> 
> It does not work with the standard Windows tools, because these tools
> don't open files with FILE_FLAG_BACKUP_SEMANTICS.  Sort of an
> obfuscation, if you ask me.
> 
> cp doesn't work because the current release of Cygwin doesn't use
> the FILE_FLAG_BACKUP_SEMANTICS flag in every necessary place so far.

Thank you, Corinna.  That was very informative.

BTW, I found this site to be invaluable for those ramping up:
http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAPrivilege.html

Cheers!


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Admin can read user file from bash, despite permissions

[Gmane User]

Gmane User wrote:
> Brian Dessent wrote:
>> Gmane User wrote:
>>
>>> CACLS shows an extensive set of permissions for the power user owner,
>>> but only READ_CONTROL, FILE_READ_EA, & FILE_READ_ATTRIBUTES for
>>> LaptopName\None and Everyone.  I've come across nothing on the web
>>> (yet) about a special privilege that allows administrators the level
>>> of access that it seems to have.  In fact, if I just open up a DOS
>>> shell as Administrator, I cannot "more" the said file.  So it seems to
>>> be specific to Cygwin rather than Windows.
>>
>> Um: <http://cygwin.com/ml/cygwin/2008-04/msg00218.html>
>>
>> This is the relevant part:
>>
>>> Cygwin uses this to simulate the unix semantics of "root" (i.e. total
>>> access to anything regardless of permissions)
> 
> 
> Thanks for reiterating, Brian.

Oh, I should have mentioned that Diskeeper probably uses the privilege since it managed to defrag the files that the built-in defragger, JkDefrag, and Ultra Defragmenter could not.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/