Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Message-ID: <050e01c3814f$bd8511c0$ac3e4381@chrismob> From: "Chris Rodgers" To: References: <5.1.0.14.0.20030915104435.027cf828@127.0.0.1> <04ce01c37ba7$5b1e67a0$a500000a@chrismob> <20030915171438.GK9981@cygbert.vinschen.de> Subject: Re: ntsec: changing the everyone user Date: Mon, 22 Sep 2003 22:23:16 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 > On Mon, Sep 15, 2003 at 05:35:20PM +0100, Chris Rodgers wrote: > > OK. Here is an example of the way permissions leak out to "Everyone". I > > create a new file, with no permissions granted to "other". Cygwin shows this > > to have worked OK. Yet in actual fact there is an ACL there giving Everyone > > some access rights. I usually choose not to have "Everyone" authorised to do > > anything on my Windows NT/2000 boxes, using Authorised Users instead. This > > way, without a valid login, you cannot get any information, including > > usernames and ACLs. > > > > How can I stop cygwin setting these ACLs? > > Did you have a close look to the access rights granted to everyone? > Otherwise, just don't use ntsec. > > Corinna > > > [...] > > Everyone:(special access:) > > READ_CONTROL > > FILE_READ_EA > > FILE_READ_ATTRIBUTES > For the archives (NOT for release :-)), I think that a quick hack is to redefine well_known_world_sid in src/winsup/cygwin/sec_helper.cc to be "S-1-5-11" instead of "S-1-1-0". This refers to the "Authorized Users" well-known group, instead of to "Everyone". Chris. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/