X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=FMPIoydiH32+G6SAtCTA+sqWVC9LximRpAUzbakA92xvm/XSYLn2q kndH/1FcL1eNzgasfvVGbfoIe0X3C4kARnHaw2uQwT9GkvwWKsGDO2UYkSlmdSY/ HT0RlHb5k995oJzswKpY0Z1i+mSIAMiLLBEFq6BIvW45X6XUXd5+h0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=0IUO22aKxwD+VgOsfUuzk/lqN8w=; b=VTXrPm2f5vOc95B1lQd/Ep0T13GH 1zq3wHM3DgwIDVLAQ3n2QWiQiRiPlmC8oD5xlFBX3+eABc3/oGgx0yAv00aeMRKt 1Loaok+eYYwurJj2V+zWeb+lgFyHYNytYIs6pOoB5vrRozMLr63Vzp8cZ/7Mv/wJ xZyVYTGlltShW5c= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.1 Date: Sun, 2 Jun 2013 10:56:55 +0200 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: Using native symlinks Message-ID: <20130602085655.GB13934@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20130528185553.GA31309@calimero.vinschen.de> <20130529083910.GD31309@calimero.vinschen.de> <20130529152339.GB4471@calimero.vinschen.de> <20130529170147.GG4471@calimero.vinschen.de> <20130530090326.GJ4471@calimero.vinschen.de> <51A753F8.90005@openafs.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <51A753F8.90005@openafs.org> User-Agent: Mutt/1.5.21 (2010-09-15) On May 30 09:28, Jeffrey Altman wrote: > On 5/30/2013 5:03 AM, Corinna Vinschen wrote: > > > On the other hand, in the same situation the UAC-crippled admins's token > > does not contain the "Create symbolic links" right: > > > > $ /cygdrive/c/Windows/System32/whoami /priv > > > > PRIVILEGES INFORMATION > > ---------------------- > > > > Privilege Name Description State > > ============================= ==================================== ======== > > SeShutdownPrivilege Shut down the system Disabled > > SeChangeNotifyPrivilege Bypass traverse checking Enabled > > SeUndockPrivilege Remove computer from docking station Disabled > > SeIncreaseWorkingSetPrivilege Increase a process working set Disabled > > SeTimeZonePrivilege Change the time zone Disabled > > > > I also changed the "Create symbolic links" policy so that the "Users" > > group is the only group getting this right. In other words, I removed > > the "Administrators" group entirely, logged off, logged on, and the > > result was the same as above. > > > > This is a bug in UAC if you ask me. It seems to remove privileges from > > the UAC-crippled admin's token based on a fixed internal list, totally > > ignorant of changes in the security policy. > > This is a design flaw but it is working as documented. Administrators have > SeCreateSymbolicLinkPrivilege by default so UAC removes it. What UAC > should > do in my opinion is not remove a static list of permissions but only > remove those permissions that are not granted to standard users. ACK. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple