X-Recipient: archive-cygwin@delorie.com
X-SWARE-Spam-Status: No, hits=-1.8 required=5.0 	tests=AWL,BAYES_00,SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: sourceware.org
To: cygwin@cygwin.com
From: Matthias Meyer <matthias.meyer@gmx.li>
Subject:  Re: How to deny directory-access for one dedicated user
Date:  Sat, 17 Oct 2009 14:28:35 +0200
Lines: 77
Message-ID:  <hbcd9m$l73$1@ger.gmane.org>
References:  <hb2bil$o3s$1@ger.gmane.org> <416096c60910131027g3df5021ei9b15ab5067353ce0@mail.gmail.com> <4AD4D5FB.4000906@gmail.com>
Mime-Version:  1.0
Content-Type:  text/plain; charset=us-ascii
Content-Transfer-Encoding:  7Bit
User-Agent: KNode/0.10.9
X-IsSubscribed: yes
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com

Dave Korn wrote:

> Andy Koppe wrote:
>> 2009/10/13 Matthias Meyer:
>>> But nevertheless, user Backup can access the directory as well as the
>>> files
>> 
>> Does user "Backup" have Administrator privileges?
> 
>   No, user "Backup User" has the "Backup/Restore" privilege.  These are
> well-known reserved names in the NT security architecture.
> 
>   And in fact administrator privs don't get you access to any file you
>   like:
> as it happens, the reason why adminstrators in fact *can* access any file
> on the system, regardless of ACLs, is because they have _backup_
> privileges - it's the exact inverse of the question you asked!
> 
>   This is one of those areas where the underlying windows OS architecture
> diverges significantly from how things work in POSIX land and Cygwin can't
> do
> all that much to fudge over it.  You can be uid 0 on windows and not be
> able to read a file when you want, or you can have uid non-zero and yet
> still get complete access to every file you like!
> 
>     cheers,
>       DaveK

My user is called "backup". It is an own created user.
"backup" is member of the administrator group and have the following
additional privileges, defined by editrights:
SeBackupPrivilege
SeRestorePrivilege
SeServiceLogonRight

Thanks jason for the cacls hint.
I tried "cacls C:\Test /E /D backup". /E is very importand ;-)
But as before, user "backup" can acccess the directory.

Also after removing of the administrator group from user "backup"
and re-login, "backup" can access C:\Test.

Administrator@hostxp /
$ cacls "C:\Test"
C:\Test HOSTXP\Backup4U:(OI)(CI)N
        VORDEFINIERT\Administratoren:(OI)(CI)F          # predefined\Administrator:...
        NT-AUTORITT\SYSTEM:(OI)(CI)F
        HOSTXP\meyer:F
        ERSTELLER-BESITZER:(OI)(CI)(IO)F                # creater-owner:...
        VORDEFINIERT\Benutzer:(OI)(CI)R                 # predefined\user:...
        VORDEFINIERT\Benutzer:(CI)(Beschrnkter Zugriff:)        # predefined\user:.(restricted access:)
                                  FILE_APPEND_DATA

        VORDEFINIERT\Benutzer:(CI)(Beschrnkter Zugriff:)
                                  FILE_WRITE_DATA

backup@hostxp ~
$ cacls "C:\Test"
C:\Test
Zugriff verweigert              #=access denied

backup@hostxp ~
$ ls -alh "C:\Test"
total 0
drwx------+  2 meyer           Kein   0 Oct 17 13:15 .
drwxrwxr-x+ 12 Administratoren SYSTEM 0 Oct 17 13:15 ..
-rwx------+  1 meyer           Kein   0 Oct 17 13:15 Neu Textdokument.txt

How to solve my goal?
The user "backup" should backup all data but not certain directories.

Thanks
Matthias
-- 
Don't Panic

PS: Sorry for the inconvenience with German.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple