Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <3BC89445.DEED628@rowman.com>
Date: Sat, 13 Oct 2001 15:21:41 -0400
From: John Peacock <jpeacock AT rowman DOT com>
X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.3-20mdk i686)
X-Accept-Language: en
MIME-Version: 1.0
To: Corinna Vinschen <cygwin AT cygwin DOT com>
Subject: Re: rsh: "Permission denied" on file creation. Cygwin 1.3.3 on W2K Adv 
 Srv SP2.
References: <FF503547C1F8D211BD2C0008C7C564010C9A492A AT exdkba06 DOT novo DOT dk> <3BC72151 DOT F11E6CB0 AT cportcorp DOT com> <20011013105919 DOT O1155 AT cygbert DOT vinschen DOT de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Corinna Vinschen wrote:
> 
> Ouch! Where did you get that information?  SYSTEM is exactly
> _the_ privileged user account which has all rights neccessary
> for an operating system.  It's the real "root" account for NT
> in contrast to the Administrators which are not allowed to do
> everything (e.g. user context switches).
> 
> The only restriction SYSTEM suffers from is, it has no access
> to network shares which require authentication... which makes
> sense.

Some of this may be caused by what I said in another e-mail.  Let
me write out what my understanding of the SYSTEM account and you
can correct me.

1) NT services need to have access to certain internal security
attributes, such as "Act as Part of Operating system", "Create 
a token object" and "Replace a Token object."  System has these
rights and more and is intended to be used for local NT services.

2) SYSTEM does not have rights to any other machine; it is strictly
a local account.  This means that it cannot use drive shares (even
if they are public shares).

3) SYSTEM does not have rights, by itself, to any files on the local
machine that are not public.  In other words, files owned by a
specific user are not accessable to SYSTEM.  However, an NT service
run under the SYSTEM account can impersonate any other local user
account, if written that way, so the SYSTEM account can access local
files in that fashion.

Consequently, although SYSTEM is the usual account that is used by
NT to run services, it is not strictly equivalent to root under *nix,
since it does not have rights to everything.  However, through the 
use of user impersonation, SYSTEM can act as any user and is in that
way very similar to "su username" under *nix.

Some Cygwin programs that can be run as services under NT will not
work properly under SYSTEM, since they have not been written to 
impersonate users.

Is that any clearer?

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/