| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:to:from:subject:date:message-id:references | |
| :mime-version:content-type:content-transfer-encoding; q=dns; s= | |
| default; b=sKNmZiIqQhCuH2P2KzhgCUsVOwgmHsTMrm0tXKLm8hexrqb/XBMIO | |
| z2vvas+7kkXuJjzSGAn+tANf2s1CuMlbRe+dQLoUYWoBojpsRzAUOw6b0+fnDC7u | |
| +VADdwjHWxkygO4QGcPhcWcrWcSqViCjjcsvhmtOB6rShTf6K4C3wg= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:to:from:subject:date:message-id:references | |
| :mime-version:content-type:content-transfer-encoding; s=default; | |
| bh=ptPXd2CZqjjW5LF57I0WXNya3jc=; b=ucqXi/x7FjNmmj7O9T86Y3aWK3sk | |
| aIIzIEantlUfQoeiLWqy8MKfkAyQCCf2DXyNxm6xSA+rVuUrx3q+K57FGCCtIpEh | |
| 8JescbEDJ/6qf0FFcECyqjLhfCmJxJoAi6PzqDyQLkrBpWNh8KgFDlpHnHq7M+t/ | |
| kM9MNir9Mitykb8= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=0.1 required=5.0 tests=AWL,BAYES_20,RDNS_NONE,SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.2 |
| X-HELO: | plane.gmane.org |
| To: | cygwin AT cygwin DOT com |
| From: | "D. Boland" <daniel AT boland DOT nl> |
| Subject: | Re: vi stealing SYSTEM-owned permissions and ownership |
| Date: | Sat, 02 Nov 2013 22:53:12 +0100 |
| Lines: | 87 |
| Message-ID: | <52757448.81FE6C53@boland.nl> |
| References: | <5274F396 DOT A133C4CE AT boland DOT nl> <D7F32E9AFFD647458EB73E4ECBC03F3E AT NCC1701> |
| Mime-Version: | 1.0 |
| X-IsSubscribed: | yes |
"Brian S. Wilson" wrote: > > > I'm a Linux teacher at a school for vocational education in the > Netherlands. > > I use Cyqwin to help my students overcome their fear of the command line > by showing them their Windows systems through the eyes of Linux. > ... > > After a chgrp and chmod on the entire Apache folder, the "conf" directory > looks like this: > > > > drwxrwx---+ 1 SYSTEM apache 0 28 okt 20:43 . > > drwxrwx---+ 1 SYSTEM apache 0 2 nov 13:10 .. > > -rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf > > -rwxrwx---+ 1 SYSTEM apache 34770 7 okt 23:29 httpd.default.conf > > -rwxrwx---+ 1 SYSTEM apache 13340 3 okt 07:59 magic > > -rwxrwx---+ 1 SYSTEM apache 13340 21 nov 2004 magic.default > > -rwxrwx---+ 1 SYSTEM apache 54599 3 okt 07:59 mime.types > > -rwxrwx---+ 1 SYSTEM apache 54599 17 mrt 2012 mime.types.default > > -rwxrwx---+ 1 SYSTEM apache 9390 5 feb 2013 openssl.cnf > > -rwxrwx---+ 1 SYSTEM apache 11050 3 okt 07:59 ssl.conf > > -rwxrwx---+ 1 SYSTEM apache 11030 7 okt 23:29 ssl.default.conf > > > >My students can now administer Apache without running Cygwin "As > administrator". > > Your statement may not be quite accurate. The Cygwin Apache instance > appears to be running as the "SYSTEM" user since that is the file owner, but > your students can administer the files because they are members of the > "apache" group. I can't really tell which user id is running your Apache > process because I don't know how you are actually starting the Apache > process. Most production Apache instances do not run as the "root" user > since this is a security risk. > > If my guess about the Apache process owner is correct, please make your > students aware that if someone hacks their Cygwin Apache servers, the hacker > may gain the same user access rights as the user id actually running the > Apache process. The Apache process owner would normally be a unique user > account with no login or access privileges to protect the server from > successful attacks (just because your Apache files are owned by "SYSTEM", > Apache could be started under another, less privileged, user id for better > protection; but it is common practice to have the file owner also be the > user id that normally executes the file). It is common to see a "nobody" > user as the owner of Apache in production systems. > > I've spent some time over several years trying to figure out how to get > Apache working as a "nobody" user under Cygwin. I've never succeeded in > getting it to work properly, and my comments to this board have not yielded > an answered. I don't think it is possible to make Apache work this way > under Cygwin, but your students should be made aware of this difference. > > If anyone is aware of how to get Apache working using a restricted "nobody" > user id under Cygwin, please respond (or start a new thread). Your concern is very real, I thought about that also. First, in my student-setup, Apache is not running under Cygwin. I used the .msi distribution, available on the Apache website. This installs Apache as a native Windows Service, and it can be configured using the Windows Services Control Panel. As to running as the SYSTEM user, I agree with you. In Linux, Apache is started by root, and then immediately switches to the "nobody" user, so it is unable to touch or even see the outside of its ServerRoot. In Windows, this mechanism does not work. That is why the "User" and "Group" directives are left out of the httpd.conf file in the Windows distribution. I now have Apache running under the username "Daemon" which I created using the standard Windows "Users" Control Panel. I put this user in my "apache" group like this: net localgroup apache Daemon /add The tricky part was assigning the following permissions to the "Daemon" user: * Log on as a service * Act as part of the operating system I did this in the "Local Security Settings" Control Panel, which can be found in the "System Administration" Control Panel. It is also possible to bring it up by running "secpol.msc" from the Start menu. Finally, I configured Apache to run as user "Daemon" in the "Services" control panel (services.msc). Daniel -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |