Mail Archives: cygwin/2006/01/18/10:25:08
And ... in the problematic server the "Administrators" group have this
privilege:
Take ownership of files or other objects
(SeTakeOwnershipPrivilege)
Allows a user to take ownership of any securable object in the system,
including Active Directory objects, NTFS files and folders, printers,
registry keys, services, processes, and threads.
Default setting: Administrators.
So, I don't know why the new files created by ssh-host-config can be changed
to be owned by SYSTEM...
Any idea?
> -----Original Message-----
> From: cygwin-owner AT cygwin DOT com
> [mailto:cygwin-owner AT cygwin DOT com] On Behalf Of Manel Rodero
> Sent: Wednesday, January 18, 2006 4:06 PM
> To: cygwin AT cygwin DOT com
> Subject: RE: Wich privileges required by ssh-host-config running user?
>
>
> >
> > Because your are bound by the laws of ntfs access control
> > entrys. Having rights to write to a file doesn't mean you are
> > allowed to change its owner. You need permissions to change
> > the directory the files are in.
> > And getting this right is easier in windows than in cygwin.
> > Use cacls to look at etc and the files.
> >
> >
>
> Yes, I've look into /etc and /etc/ssh* files. /etc directory
> is created by
> the setup process. The ssh* files are created by the
> ssh-host-config script.
>
> I know that the problem is with ACLs in the NTFS files but I
> would like to
> know why this problem only occurs in these servers (casually
> all of them are
> in a windows domain). Does the process of joining a domain
> change something
> in the local Administration account?
>
> In a working server:
>
> C:\cygwin\etc>cacls .
> C:\cygwin\etc Everyone:(OI)(CI)F
>
> ---> the script have changed the ACL to SYSTEM !!!
>
> C:\cygwin\etc>cacls ssh_config
> C:\cygwin\etc\ssh_config NT AUTHORITY\SYSTEM:(special access:)
> STANDARD_RIGHTS_ALL
> DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> SYNCHRONIZE
> STANDARD_RIGHTS_REQUIRED
> FILE_GENERIC_READ
> FILE_GENERIC_WRITE
> FILE_GENERIC_EXECUTE
> FILE_READ_DATA
> FILE_WRITE_DATA
> FILE_APPEND_DATA
> FILE_READ_EA
> FILE_WRITE_EA
> FILE_EXECUTE
> FILE_READ_ATTRIBUTES
> FILE_WRITE_ATTRIBUTES
>
> SERVEROK\None:R
> Everyone:R
>
> In the problematic servers (the ACLs are the default ones because the
> ssh-host-config script can't change them):
>
> C:\cygwin\etc>cacls .
> C:\cygwin\etc Everyone:(OI)(CI)F
>
> ---> The Default ACLs of the files created by ssh-host-config
> (Administrator
> doesn't have full control over the files; but Administrator
> is the owner of
> the files)
>
> C:\cygwin\etc>cacls sshd_config
> C:\cygwin\etc\sshd_config SERVERWRONG\Administrator:(special access:)
> STANDARD_RIGHTS_ALL
> DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> SYNCHRONIZE
> STANDARD_RIGHTS_REQUI
> FILE_GENERIC_READ
> FILE_GENERIC_WRITE
> FILE_READ_DATA
> FILE_WRITE_DATA
> FILE_APPEND_DATA
> FILE_READ_EA
> FILE_WRITE_EA
> FILE_READ_ATTRIBUTES
> FILE_WRITE_ATTRIBUTES
>
> SERVERWRONG\None:(special access:)
> READ_CONTROL
> SYNCHRONIZE
> FILE_GENERIC_READ
> FILE_READ_DATA
> FILE_READ_EA
> FILE_READ_ATTRIBUTES
>
> Everyone:(special access:)
> READ_CONTROL
> SYNCHRONIZE
> FILE_GENERIC_READ
> FILE_READ_DATA
> FILE_READ_EA
> FILE_READ_ATTRIBUTES
>
> So, which RIGHTS need the Administrator account to be able to
> change the
> owner of a file?
>
> Thank you.
>
>
> --
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> Problem reports: http://cygwin.com/problems.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
>
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -