Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <3A3D17E5.CEE59145@ece.gatech.edu>
Date: Sun, 17 Dec 2000 14:45:41 -0500
From: "Charles S. Wilson" <cwilson AT ece DOT gatech DOT edu>
X-Mailer: Mozilla 4.75 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Corinna Vinschen <cygwin AT cygwin DOT com>
Subject: Re: CVS permissions problem with network drive
References: <OF4452111B DOT B0F21FC3-ON862569B2 DOT 00610F4F AT mmm DOT com> <3A3C668F DOT E6885AC8 AT ece DOT gatech DOT edu> <3A3C7677 DOT 29906E35 AT ece DOT gatech DOT edu> <0012171246140L DOT 00473 AT cygbert>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Corinna Vinschen wrote:

> > > So: In order to access a CVS repository on an SMB share exported by
> > > an NT host, the user's account on the host must have the
> > > SeRestorePrivilege right.  However, this is dangerous:
> >
> > This is bull.  Ignore.
> 
> No, this isn't bull! You are right. You only did it the half way.
> 
> If _both_ accounts (your local account and the remote account used
> for the SMB connection) have the SeRestorePrivilge user right everything
> works as expected.

Confirmed.

> 
> Thanks for the hint, Chuck.
> 
> However, giving this permission remains dangerous for the reasons you
> explained in your previous mail. So the correct way in terms of NT
> security is still using domains and domain accounts.

Well, in my case, the 'correct way' is not possible -- I don't have a
domain or domain controller.  Just a W2K machine and an NT Workstation,
both members of the same Workgroup.

So, there are three possibilities:

1) Use domains and domain user accounts
2) turn off ntsec
3) add 'SeRestorePrivilege' to both the client machine user account and
the host machine user account.  This is dangerous because it basically
eliminates all file security on both machines, as far as that user is
concerned.  And, this extends to NON-cygwin programs run by that user.  

If #1 is not possible, then #2 is better than #3 (what's the point of
maintaining the *form* of ntsec when it has no *function*?  #3 vitiates
all file security anyway, so why bother with ntsec?)  If you set
nontsec, you lose unixish file security for cygwin programs but at least
you keep the Windows security intact (such as it is).

Unfortunately, both #2 and #3 affect behavior both locally and on file
shares.  It would be nice if ntsec behaved 'nontsec'-like when accessing
shares when the user accounts involved are not domain accounts.  That
way, I could continue to use ntsec for most stuff (local file access)
but share access 'just works' with less strict file security.  Does that
describe the 'extra checks' you said you needed to add, Corinna?

--Chuck

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com