| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type:content-transfer-encoding | |
| :reply-to; q=dns; s=default; b=CzXqnIDPEj+7KlQ3awkfEIqRJiZcv2IfV | |
| aEldAei+HrR+VdQMhOZD5eKrk9JF2q+4qTTR440c88A8zKxZGxR3E+B09g+++OCH | |
| NxWBmKcAfabfyYFJqLwLQxtFMkeqSBzkcplF8mBWpFal1ihdLbBZ8SKWCIraaL1e | |
| UF1s74BuAs= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type:content-transfer-encoding | |
| :reply-to; s=default; bh=AQlU7YbNb9zD3h3Zf8yK3xfveE4=; b=XVkIFel | |
| 4M/AkeNCiW6yBNZSd4pE3eLC+Ati6lBM+nalOQwc1fbBP+IcpYL1Z5d8qIjaQkR4 | |
| YmR/5Gs4cD7pbewF89EOws0npC1p044ZCJ1PW9fAyIGhGHU9gLfQIzNmR0G4TzmV | |
| 8SHT4M8r+YBzyY/T2WmQSmf3w6BkaNpYlUFY= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| X-Spam-SWARE-Status: | No, score=-1.2 required=5.0 tests=AWL,BAYES_50,KHOP_THREADED autolearn=ham version=3.3.1 |
| X-MDAV-Result: | clean |
| X-MDAV-Processed: | mail.secure-endpoints.com, Thu, 30 May 2013 09:28:26 -0400 |
| X-Spam-Processed: | mail.secure-endpoints.com, Thu, 30 May 2013 09:28:25 -0400 (not processed: message from trusted or authenticated source) |
| X-Return-Path: | jaltman AT openafs DOT org |
| X-Envelope-From: | jaltman AT openafs DOT org |
| X-MDaemon-Deliver-To: | cygwin AT cygwin DOT com |
| Message-ID: | <51A753F8.90005@openafs.org> |
| Date: | Thu, 30 May 2013 09:28:24 -0400 |
| From: | Jeffrey Altman <jaltman AT openafs DOT org> |
| User-Agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 |
| MIME-Version: | 1.0 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Using native symlinks |
| References: | <CAGHJv4ftSKS6wR-Uzd9Gfvowqpn-WCQ0U01NexgCpZaYqd-Tow AT mail DOT gmail DOT com> <20130528185553 DOT GA31309 AT calimero DOT vinschen DOT de> <CAGHJv4fkvRt1gQfNTarHGUQWvdRxRsy=oAA=pjUQTLQFoNoW-g AT mail DOT gmail DOT com> <20130529083910 DOT GD31309 AT calimero DOT vinschen DOT de> <CAGHJv4cUbx_sMCwUgzTd3ZaXVgbfgPt1Fs7pOO4UtwZhFFj-uA AT mail DOT gmail DOT com> <20130529152339 DOT GB4471 AT calimero DOT vinschen DOT de> <CAGHJv4cKU_vHa7KddQ5dK_3dkj792A8X5Ps9njS_gBNEFWz63Q AT mail DOT gmail DOT com> <20130529170147 DOT GG4471 AT calimero DOT vinschen DOT de> <CAGHJv4cms9Cg=VA0bFsqK_MvY1fhYbgQA2iOWRKxA=O0Z1FL1A AT mail DOT gmail DOT com> <20130530090326 DOT GJ4471 AT calimero DOT vinschen DOT de> |
| In-Reply-To: | <20130530090326.GJ4471@calimero.vinschen.de> |
| Reply-To: | jaltman AT openafs DOT org |
On 5/30/2013 5:03 AM, Corinna Vinschen wrote: > On the other hand, in the same situation the UAC-crippled admins's token > does not contain the "Create symbolic links" right: > > $ /cygdrive/c/Windows/System32/whoami /priv > > PRIVILEGES INFORMATION > ---------------------- > > Privilege Name Description State > ============================= ==================================== ======== > SeShutdownPrivilege Shut down the system Disabled > SeChangeNotifyPrivilege Bypass traverse checking Enabled > SeUndockPrivilege Remove computer from docking station Disabled > SeIncreaseWorkingSetPrivilege Increase a process working set Disabled > SeTimeZonePrivilege Change the time zone Disabled > > I also changed the "Create symbolic links" policy so that the "Users" > group is the only group getting this right. In other words, I removed > the "Administrators" group entirely, logged off, logged on, and the > result was the same as above. > > This is a bug in UAC if you ask me. It seems to remove privileges from > the UAC-crippled admin's token based on a fixed internal list, totally > ignorant of changes in the security policy. This is a design flaw but it is working as documented. Administrators have SeCreateSymbolicLinkPrivilege by default so UAC removes it. What UAC should do in my opinion is not remove a static list of permissions but only remove those permissions that are not granted to standard users. If your organization is a user of native symlinks and you have a support agreement with Microsoft, I recommend filing a support request to have this behavior changed. Jeffrey Altman -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |