DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding
	:reply-to; q=dns; s=default; b=CzXqnIDPEj+7KlQ3awkfEIqRJiZcv2IfV
	aEldAei+HrR+VdQMhOZD5eKrk9JF2q+4qTTR440c88A8zKxZGxR3E+B09g+++OCH
	NxWBmKcAfabfyYFJqLwLQxtFMkeqSBzkcplF8mBWpFal1ihdLbBZ8SKWCIraaL1e
	UF1s74BuAs=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Message-ID: <51A753F8.90005@openafs.org>
Date: Thu, 30 May 2013 09:28:24 -0400
From: Jeffrey Altman <jaltman@openafs.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: cygwin@cygwin.com
Subject: Re: Using native symlinks
References: <CAGHJv4ftSKS6wR-Uzd9Gfvowqpn-WCQ0U01NexgCpZaYqd-Tow@mail.gmail.com> <20130528185553.GA31309@calimero.vinschen.de> <CAGHJv4fkvRt1gQfNTarHGUQWvdRxRsy=oAA=pjUQTLQFoNoW-g@mail.gmail.com> <20130529083910.GD31309@calimero.vinschen.de> <CAGHJv4cUbx_sMCwUgzTd3ZaXVgbfgPt1Fs7pOO4UtwZhFFj-uA@mail.gmail.com> <20130529152339.GB4471@calimero.vinschen.de> <CAGHJv4cKU_vHa7KddQ5dK_3dkj792A8X5Ps9njS_gBNEFWz63Q@mail.gmail.com> <20130529170147.GG4471@calimero.vinschen.de> <CAGHJv4cms9Cg=VA0bFsqK_MvY1fhYbgQA2iOWRKxA=O0Z1FL1A@mail.gmail.com> <20130530090326.GJ4471@calimero.vinschen.de>
In-Reply-To: <20130530090326.GJ4471@calimero.vinschen.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Reply-To: jaltman@openafs.org

On 5/30/2013 5:03 AM, Corinna Vinschen wrote:

> On the other hand, in the same situation the UAC-crippled admins's token
> does not contain the "Create symbolic links" right:
> 
>   $ /cygdrive/c/Windows/System32/whoami /priv
> 
>   PRIVILEGES INFORMATION
>   ----------------------
> 
>   Privilege Name                Description                          State
>   ============================= ==================================== ========
>   SeShutdownPrivilege           Shut down the system                 Disabled
>   SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
>   SeUndockPrivilege             Remove computer from docking station Disabled
>   SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
>   SeTimeZonePrivilege           Change the time zone                 Disabled
> 
> I also changed the "Create symbolic links" policy so that the "Users"
> group is the only group getting this right.  In other words, I removed
> the "Administrators" group entirely, logged off, logged on, and the
> result was the same as above.
> 
> This is a bug in UAC if you ask me.  It seems to remove privileges from
> the UAC-crippled admin's token based on a fixed internal list, totally
> ignorant of changes in the security policy.

This is a design flaw but it is working as documented.   Administrators have
SeCreateSymbolicLinkPrivilege by default so UAC removes it.   What UAC
should
do in my opinion is not remove a static list of permissions but only
remove those permissions that are not granted to standard users.

If your organization is a user of native symlinks and you have a support
agreement with Microsoft, I recommend filing a support request to have
this behavior changed.

Jeffrey Altman


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple