delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2002/11/19/17:00:29

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <3DDAB456.4000303@csgsystems.com>
Date: Tue, 19 Nov 2002 22:59:50 +0100
From: Christian Mueller <Christian_Mueller AT csgsystems DOT com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: .rhosts on W2K w/o ntsec
X-Scanned-By: MIMEDefang 2.15 (www dot roaringpenguin dot com slash mimedefang)

Thanks again for your help!

 > What do you mean "setting new userids"? It is safe to turn ntsec
 > off in the /etc/profile or ~/.bash_profile sourced by the login
 > shell. Of course the login shell itself will still have ntsec on,
 > so it needs to reexec itself after turning ntsec off.

I was thinking of daemons such as inetd, sshd, etc. setting new user 
IDs (contexts, whatever) after the login as such has succeeded. I 
didn't have the time so far to look up how Cygwin handles this case, 
thus my concerns about inheriting the CYGWIN envionment variable.

Given your question, I take it that Cygwin will pass the CYGWIN 
variable to all sub-processes regardless whether or not the user ID 
has changed. This would rule-out my biggest concern regarding 
different CYGWIN variable settings for inetd clients and local logins.

 >> Another problem would be that other services which don't
 >> start shells such as the IPC daemon, apache, etc. would end
 >> up using ntsec.

 > Not sure if that's really a problem. At any rate that can be
 > controlled with the -e argument of cygrunsrv, but I don't know
 > what will happen in each case.

The problem with this (regardless of the -e option in cygrunsrv) is 
that the environment being active for the service (e.g. 
"CYGWIN=ntsec") cannot be changed at a later time unless the service 
starts some shell-like process which will execute something like 
/etc/profile. In other words, the service will execute with "ntsec" 
being active and there's no way to turn it off.

 >> Wouldn't it be a good idea to store uid and gid in the extended
 >> attributes as well and use them if ntsec is turned off? At least
 >> for me this would be the perfect solution....

 > They are, of course, but Cygwin does not report them when ntsec is
 > off. Changing that behavior would probably hurt other users. Asking
 > for a special "cmueller" field to CYGWIN is unlikely to yield a
 > positive reply.

Hmpff! I'm not asking for any special treatment for myself. If that 
was the case, I would take the source and implement whatever I think 
would be useful instead of going to the public cygwin mailing list....

Having said that, I agree that it's probably dangerous to simply 
change the current behaviour (i.e. UIDs and GIDs are stored in EAs but 
not used unless "ntsec" is turned on as well). However, it would be 
possible to safely change this behaviour based on a new token (e.g. 
ntea_uid or whatever).

 > I have reread your original e-mail and I don't fully understand
 > why nontsec helps you. The reasons you give are not compelling.
 > Even with nontsec, the files you create are not owned by
 > Administrators.

Actually, they *are* owned by Administrators *if* they are created by 
Windows apps. As soon as a Windows user is part of the Administrators 
group, all files created by this user will automatically be owned by 
the Administrators group (again, I'm talking about Windows apps here, 
not Cygwin apps).

I had problems in the past (around 1 year ago) with files created by 
JBuilder5 from Borland -- I had ntsec turned-on at this time and ran 
into problems when I committed the resulting files with cvs (Cygwin) 
because the source files were owned by "Administrators" and had stupid 
permissions (something like 0777).

I thought quite a while about a solution for my dilemma and ended up 
using "ntea nontsec" because this is the only way how I can share 
Cygwin directories with Windows applications without ending up 
changing file permissions each time Windows programs have 
updated/created some files.

 > Also, the directories created by Cygwin with ntsec do have
 > inheritance turned on. In fact that inheritance determines the
 > ACL of files created by Cygwin when ntsec is off, and also the
 > ACL created by most Windows applications. Incidentally you
 > can display these "stupid permissions" with getfacl and change
 > them with setfacl, so you could add Administrators if needed.

Hmmm.... it seems as if you mis-interpreted (is this a word?) my 
problem: The permissions set by Cygwin with "ntsec" are absolutely OK. 
I'm having problems with permissions set by *native* Windows programs 
when they create files in my Cygwin home directory....

 > Is your group Administrators? If not, wouldn't it help to change
 > it to that?

Yes, it is.

Pierre


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019