Mail Archives: cygwin/2005/10/27/06:18:49
Chris Taylor wrote:
> When I say editing the registry, I'm talking about the ability to
> directly manipulate it with .reg files, regedit, or other registry
> editing tools.
You can block access to certain known tools like regedit. This does
*nothing* to block access to the registry itself, except for amateur
users that think regedit is the only way to access the registry.
Registry keys are full NT objects each with their own ACL, and so if you
*really* want to prevent someone from being able to edit the registry,
this is the *only* way. And doing so breaks lots of programs that
expect to be able to store their settings in HKCU. I suppose you could
allow specific write access to those keys that known programs need to
access, and deny everything else. But that would be an enormous amount
of work, and by the time you're done you'd have granted access to a
large portion of HKCU.
The point here is that regedit is only *one* way of arbitrarily
manipulating the registry, and a user that knows what he's doing will
*always* be able to get around this. Disabling regedit is *not* a form
of security, unless you define security as "keeping out casual users but
nothing else."
> Yes, you are able to make changes to HKCU, but not *directly*.
echo "1" > /proc/registry/HKEY_CURRENT_USER/Software/Foobar
Oh look, I just edited the registry directly. Okay, so you don't allow
Cygwin. So I compile a C program that takes a key+value on the command
line and calls RegSetValueEx(). Oh, so you disallow that filename or
checksum. So I make a different C program and call it something else.
There are an infinite number of programs that I can write and it's
impossible to block them all. The point here is that there is no such
thing as "blocking direct access" while still "letting some programs
write to the registry." Either it's writeable or it's not. If it is,
then the user can make arbitrary changes. There's no middle ground.
> Your method is flawed and destroys the existing setup, which is bad.
> I disable ALL aspects of regedit and other tools, and I know I'm not
> alone in this. It's perfectly normal and *common* to do it.
You can disable every piece of software that has ever existed in the
known universe, and I will still be able to make arbitrary registry
changes if I want -- provided that the desired HKCU key is writeable.
> The (l)user should *never* be allowed to edit the registry themselves.
> That's a recipe for disaster.
If you think it is possible to block "direct" editing of the registry
while still allowing HKCU to be writeable, then you are clearly mistaken
at how windows security works.
> Using a command that alters the registry as part of it's function, but
> does not allow the user to directly alter it is a very different
> ballgame. mount would be permissable. Some console app to directly edit
> the registry would not be.
There is absolutely no way for a sysadmin to block one and not the
other.
Brian
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -