Mail Archives: cygwin/2016/02/10/07:19:53
| X-Recipient: | archive-cygwin AT delorie DOT com
|
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:date:from:to:subject:message-id:reply-to
|
| :references:mime-version:content-type:in-reply-to; q=dns; s=
|
| default; b=EIjFVmxxk78w/DNM3iK8lkkQJ9FtSZw6YdZtlQLly90IqvR+mjlk+
|
| J3rAj83vVx8UeGaPcvIL8ocWp3txi7cM/mcVC5Zn1vEeH6EBmW377zkSPDJptKFf
|
| 3q1v6kr1i49JP2b8/KkIZ9/6Fb2xaVDSX/KT634uYeULAhlnT7fZeE=
|
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:date:from:to:subject:message-id:reply-to
|
| :references:mime-version:content-type:in-reply-to; s=default;
|
| bh=UoJc74rEn3bB18PiaVOVgJRmpzg=; b=K0SvYpCfIUrzupG7TK1BQD2w8znY
|
| llV7xUynBKjf1sCTwa9g7g35RnY56Fc7GMHzyycZUPFdpIAKRgn6B/Z8EujzRHsc
|
| w4AIvSqCoZ3NTr0fiD8nOezWyMpocHRD4iNhyYU+ncHbUVzvQXIsFJbT1q/BvWLq
|
| vTSGBYx4KOO9V3A=
|
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm
|
| List-Id: | <cygwin.cygwin.com>
|
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com>
|
| List-Archive: | <http://sourceware.org/ml/cygwin/>
|
| List-Post: | <mailto:cygwin AT cygwin DOT com>
|
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
|
| Sender: | cygwin-owner AT cygwin DOT com
|
| Mail-Followup-To: | cygwin AT cygwin DOT com
|
| Delivered-To: | mailing list cygwin AT cygwin DOT com
|
| Authentication-Results: | sourceware.org; auth=none
|
| X-Virus-Found: | No
|
| X-Spam-SWARE-Status: | No, score=-93.9 required=5.0 tests=BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RDNS_DYNAMIC,USER_IN_WHITELIST autolearn=no version=3.3.2 spammy=cygwin-ug-net, cygwinugnet, UD:ntsec.html, ntsec.html
|
| X-HELO: | calimero.vinschen.de
|
| Date: | Wed, 10 Feb 2016 13:19:32 +0100
|
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
|
| To: | cygwin AT cygwin DOT com
|
| Subject: | Re: Issues with ACL settings after updating to the latest cygwin.dll
|
| Message-ID: | <20160210121932.GE15391@calimero.vinschen.de>
|
| Reply-To: | cygwin AT cygwin DOT com
|
| Mail-Followup-To: | cygwin AT cygwin DOT com
|
| References: | <20160208181956 DOT GI12975 AT calimero DOT vinschen DOT de> <embea8f98a-05a5-4804-a575-9eebf7412614 AT gaming> <20160210115506 DOT GB15391 AT calimero DOT vinschen DOT de>
|
| MIME-Version: | 1.0
|
| In-Reply-To: | <20160210115506.GB15391@calimero.vinschen.de>
|
| User-Agent: | Mutt/1.5.24 (2015-08-30)
|
--lteA1dqeVaWQ9QQl
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Feb 10 12:55, Corinna Vinschen wrote:
> On Feb 9 20:53, xnor wrote:
> > Here is what I would expect:
> > MyUser is in the group Administrators. Given the inherited permissions =
above
> > a Windows-created file should be shown as "-rwxrwxr--+ MyUser
> > Administrators"?
>=20
> Sorry, can't do that, *unless* you make "Administrators" the primary
> group in your user token(*). Even though your account is *member* of
> the Administrators group, the group is *never* your primary group per
> Windows. All local accounts, independently of their group memberships,
> have the group "None" as their primary group. That's how Windows works,
> and that hasn't changed since at least NT4.
>=20
> Unless, of course, if you use a so-called "Windows account", one of
> those accounts which you login with using your email address (was that
> introduced with Windows 8? I'm not sure). In that case, the primary
> group in your user token is set to your user account itself. So your
> primary group SID is your own user SID. Duh!
>=20
>=20
> Corinna
>=20
> (*) There *is* a way to do that, but only inside Cygwin, see
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-passwdinfo
Oh, and if it's not clear how this works under the hood, it's like this:
The Windows user token contains a couple of SID entries:
- The "user" SID
- The "owner" SID (user and owner are not necessarily the same,
but, never mind)
- The primary group SID (which, it has to be said, is meaningless
in the Windows context and only kept for
POSIX compatibility)
- A list of group SIDs the user is member in.
For a local account, the primary group SID is set to "None", the local
group with RID 513. For domain accounts this is typically the group
"Domain Users", the domain account with RID 513 (hmm...)
However, every process is allowed to switch the primary group entry of
its user token to *any* group mentioned in the group list, *or* even to
its user or owner SID. If you use the aforementioned method to change
the primary group, what happens is that the first Cygwin process in a
process chain changes the primary group in its user token. If the new
group is in the token's group list, this will work.
Child processes inherit the user token from their parent process, so
there's no reason to change the primary group again in a process tree.
Since that's a Windows property, this also works for non-Cygwin child
processes.
With the Administrators group there's a complication. If you're running
a normal shell, it's running under UAC control. UAC restricts the user
token of an admin user so that the admins group in the token group list
is "crippled": The admins SID is still in the list, but with a flag
"DENY ONLY". You're kind of not in the Administrators group anymore.
Only if an access check is performed, and the Admins group is denied
access to some object, this membership kicks in and denies the access.
HTH,
Corinna
--=20
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--lteA1dqeVaWQ9QQl
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWuyrUAAoJEPU2Bp2uRE+g/7wP/08n5xYTi/LhJPWvPENHJItY
kamAuV88Ox4ty9TbgEMeK5li3d4LavIoQHoiTuuB552+qNkpGyzrKQw1LwRf6kBb
Mt/tW5yON6Oz2/hHW3aHeRNBs9HWyWbPvfBI/8UqAn8K+e+9guLqhmwgYBU+d5o5
pPrkTZhwbR+W7wdeYiO9cF8ruR9lcN4oO/1RijIrwlp+LwMkj+vTNOItIEjnHE7w
vvLAPhhJI5GDB16JcP4kQOltfx38cVrL++fGkI6vD2Grq6swEeask5C0gg2dUS6R
ZlDTGWXxKGiWvfN/e8XSxBDNw0xXy9dw2Wkz4CSV3Tb12ysJZk3+GdOIMcEbX3eL
SaZRnsRuT9A5qhULMtPviRyIj9ZJ6aKW4tit9nM11z0aCF3oWskf2blP3q0x91EO
RGZ1r3TqPV9nbCBkMou7OLO+OQFvpJSVM9V5EzVhbvX2TzwnPSjNtVKnEkhiUrU3
sNbdLspKywLtteMYBGp7LL3nBhnMopuoJ/eY+TTdK62lJDc/Ku0HwVGBP9XzfH6z
EV9WMMDSTT+ypdLFSVvvafZH1pgJmMqwm89IluKtPOP7pijbcdgKYxF16orUnK6Q
XqVMeEZJ1R+jkillXo3gG3AhQuFZ6EQ6d/BR+39HQrcxYkC44/8XCp2JKPnh3Evg
HbX9w8xH/apnYq6t7/vr
=p8kU
-----END PGP SIGNATURE-----
--lteA1dqeVaWQ9QQl--
- Raw text -