| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:reply-to:message-id:to:subject | |
| :in-reply-to:references:mime-version:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=D08Sn6Fnf76Z+rmV | |
| HeREXwBZVYwkGSqNMz4QicGhIVEaP52SvhJtQ1Blx7R+wgaKd/SXRcOZh5DL3s/H | |
| tBMPCAlQq2Xs+l34KJH9h9/gfuECNckz4Pm6ttRvRL9y5LVB9kci63JX/SvQNyJa | |
| Jbe6b++NkA39UwUb400DJDaFFuk= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:reply-to:message-id:to:subject | |
| :in-reply-to:references:mime-version:content-type | |
| :content-transfer-encoding; s=default; bh=bCoobDF9fszIyiybCc+Evy | |
| /9tIQ=; b=EWmXdD6l2nkbgbkh8Nyd7mPR+bJyEVPCnUocZRWy30fcnR6fKBCmKn | |
| bnblsHLRKrBBtPpiEuPqcJJ6kCMA8Inqit6OA41Y+Lv/g+Oqiqaw8Oma0xIJzJbx | |
| mT0oZdZuFW+MDN70W4YbDX6CoRfalfrXr4h33KDKLe5J2WDhz0/MU= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=4.5 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 |
| X-HELO: | smtpback.ht-systems.ru |
| Date: | Sat, 2 Nov 2013 21:47:06 +0400 |
| From: | Andrey Repin <anrdaemon AT yandex DOT ru> |
| Reply-To: | Andrey Repin <cygwin AT cygwin DOT com> |
| Message-ID: | <1709690551.20131102214706@mtu-net.ru> |
| To: | "Brian S. Wilson" <wilson AT ds DOT net>, cygwin AT cygwin DOT com |
| Subject: | Re: vi stealing SYSTEM-owned permissions and ownership |
| In-Reply-To: | <D7F32E9AFFD647458EB73E4ECBC03F3E@NCC1701> |
| References: | <5274F396 DOT A133C4CE AT boland DOT nl> <D7F32E9AFFD647458EB73E4ECBC03F3E AT NCC1701> |
| MIME-Version: | 1.0 |
| X-IsSubscribed: | yes |
Greetings, Brian S. Wilson! >> I'm a Linux teacher at a school for vocational education in the Netherlands. >> I use Cyqwin to help my students overcome their fear of the command line by >> showing them their Windows systems through the eyes of Linux. > ... >> After a chgrp and chmod on the entire Apache folder, the "conf" directory >> looks like this: >> >> drwxrwx---+ 1 SYSTEM apache 0 28 okt 20:43 . >> drwxrwx---+ 1 SYSTEM apache 0 2 nov 13:10 .. >> -rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf >> -rwxrwx---+ 1 SYSTEM apache 34770 7 okt 23:29 httpd.default.conf >> -rwxrwx---+ 1 SYSTEM apache 13340 3 okt 07:59 magic >> -rwxrwx---+ 1 SYSTEM apache 13340 21 nov 2004 magic.default >> -rwxrwx---+ 1 SYSTEM apache 54599 3 okt 07:59 mime.types >> -rwxrwx---+ 1 SYSTEM apache 54599 17 mrt 2012 mime.types.default >> -rwxrwx---+ 1 SYSTEM apache 9390 5 feb 2013 openssl.cnf >> -rwxrwx---+ 1 SYSTEM apache 11050 3 okt 07:59 ssl.conf >> -rwxrwx---+ 1 SYSTEM apache 11030 7 okt 23:29 ssl.default.conf >> >>My students can now administer Apache without running Cygwin "As > administrator". > Your statement may not be quite accurate. The Cygwin Apache instance > appears to be running as the "SYSTEM" user since that is the file owner, but > your students can administer the files because they are members of the > "apache" group. I can't really tell which user id is running your Apache > process because I don't know how you are actually starting the Apache > process. Most production Apache instances do not run as the "root" user > since this is a security risk. > If my guess about the Apache process owner is correct, please make your > students aware that if someone hacks their Cygwin Apache servers, the hacker > may gain the same user access rights as the user id actually running the > Apache process. The Apache process owner would normally be a unique user > account with no login or access privileges to protect the server from > successful attacks (just because your Apache files are owned by "SYSTEM", > Apache could be started under another, less privileged, user id for better > protection; but it is common practice to have the file owner also be the > user id that normally executes the file). It is common to see a "nobody" > user as the owner of Apache in production systems. > I've spent some time over several years trying to figure out how to get > Apache working as a "nobody" user under Cygwin. I've never succeeded in > getting it to work properly, and my comments to this board have not yielded > an answered. I don't think it is possible to make Apache work this way > under Cygwin, but your students should be made aware of this difference. > If anyone is aware of how to get Apache working using a restricted "nobody" > user id under Cygwin, please respond (or start a new thread). I can't imagine alot of reasons to not use native Windows Apache server, which is much better adapted for running in Windows security environment. -- WBR, Andrey Repin (anrdaemon AT yandex DOT ru) 02.11.2013, <21:44> Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |