Mail Archives: cygwin-developers/2001/08/06/13:41:34
On Mon, Aug 06, 2001 at 12:28:48PM -0400, Charles Wilson wrote:
> cygwin: create_token() needs to set a default DACL of some sort, that is
> a little more open than rwx------. (This only affects the *default*
> DACL. If perms/ACL are *specified*, then of course the "default" has no
> effect.)
I have just discussed that with Chris. I think the best way is to
set the default DACL right before the `CreateFile' call so that
`CreateFile' creates the file with exactly the requested permissions
instead of first calling `CreateFile' with default DACL and then call
`set_file_attributes' which overwrites the files ACL. This practice
is actually the reason for the SYSTEM ACE in any file created with
the latest Cygwin from CVS since SYSTEM is always an entry in the
default DACL by, uhm, default.
> setup.exe: dirs(files?) created by setup.exe should have a DACL that
> allows full access to everyone. If users want to lock things down
> tighter after the fact, they
> can, I suppose.
Sure. That's what I suggest. NT/W2K creates the files according
to the inheritance attributes in the parent directory or - if
no inheritance is given - by using the default DACL in the process
token (simplified spoken).
> Two problems: I dunno how to do this, and they're taking my computer
> away in a couple of hours...so I can't help with this in the near
> future. :-(
I will try to get the default DACL changed in setup this week.
I don't know how much time I have to change fhandler_base::open
to do the other trick, though.
However, sometimes it would be nice if somebody could have a look
into the NT security stuff, too. I'm feeling lonely at the ntsec
cutting edge. Except for Kazuhiro who unfortunately doesn't write
to this list as often as a few months ago...
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin AT cygwin DOT com
Red Hat, Inc.
- Raw text -