DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:from:to:references:subject:date
	:message-id:mime-version:content-type:content-transfer-encoding
	:in-reply-to; q=dns; s=default; b=oMKkCsjPas6kvJYG49GWIbvax+35Vw
	Opa6fsX1oWY9AbFhPHmO+9Td+mWRnXz/lkfBEvbSnrbbetYIvrfrJO8zteFfxrA1
	i0eej1lIwkkGh4DFAWD6INj154iQTMQ2/uxL7zndI+zeddb/VhqvYodsOueZ41cJ
	RMQIxtjwmjF3o=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Reply-To: <wilson@ds.net>
From: "Brian S. Wilson" <briansw@bellsouth.net>
To: "'D. Boland'" <daniel@boland.nl>, <cygwin@cygwin.com>
References: <5274F396.A133C4CE@boland.nl>
Subject: RE: vi stealing SYSTEM-owned permissions and ownership
Date: Sat, 2 Nov 2013 09:36:06 -0400
Keywords: Ideas
Message-ID: <D7F32E9AFFD647458EB73E4ECBC03F3E@NCC1701>
MIME-Version: 1.0
Content-Type: text/plain;	charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <5274F396.A133C4CE@boland.nl>

> I'm a Linux teacher at a school for vocational education in the
Netherlands. 
> I use Cyqwin to help my students overcome their fear of the command line
by showing them their Windows systems through the eyes of Linux.
...
> After a chgrp and chmod on the entire Apache folder, the "conf" directory
looks like this:
>
> drwxrwx---+ 1 SYSTEM apache     0 28 okt 20:43 .
> drwxrwx---+ 1 SYSTEM apache     0  2 nov 13:10 ..
> -rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf
> -rwxrwx---+ 1 SYSTEM apache 34770  7 okt 23:29 httpd.default.conf
> -rwxrwx---+ 1 SYSTEM apache 13340  3 okt 07:59 magic
> -rwxrwx---+ 1 SYSTEM apache 13340 21 nov  2004 magic.default
> -rwxrwx---+ 1 SYSTEM apache 54599  3 okt 07:59 mime.types
> -rwxrwx---+ 1 SYSTEM apache 54599 17 mrt  2012 mime.types.default
> -rwxrwx---+ 1 SYSTEM apache  9390  5 feb  2013 openssl.cnf
> -rwxrwx---+ 1 SYSTEM apache 11050  3 okt 07:59 ssl.conf
> -rwxrwx---+ 1 SYSTEM apache 11030  7 okt 23:29 ssl.default.conf
> 
>My students can now administer Apache without running Cygwin "As
administrator".

Your statement may not be quite accurate.  The Cygwin Apache instance
appears to be running as the "SYSTEM" user since that is the file owner, but
your students can administer the files because they are members of the
"apache" group.  I can't really tell which user id is running your Apache
process because I don't know how you are actually starting the Apache
process.  Most production Apache instances do not run as the "root" user
since this is a security risk.

If my guess about the Apache process owner is correct, please make your
students aware that if someone hacks their Cygwin Apache servers, the hacker
may gain the same user access rights as the user id actually running the
Apache process.  The Apache process owner would normally be a unique user
account with no login or access privileges to protect the server from
successful attacks (just because your Apache files are owned by "SYSTEM",
Apache could be started under another, less privileged, user id for better
protection; but it is common practice to have the file owner also be the
user id that normally executes the file).  It is common to see a "nobody"
user as the owner of Apache in production systems.

I've spent some time over several years trying to figure out how to get
Apache working as a "nobody" user under Cygwin.  I've never succeeded in
getting it to work properly, and my comments to this board have not yielded
an answered.  I don't think it is possible to make Apache work this way
under Cygwin, but your students should be made aware of this difference.

If anyone is aware of how to get Apache working using a restricted "nobody"
user id under Cygwin, please respond (or start a new thread).


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple