Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <007d01c154b9$d088be30$0200a8c0@lifelesswks>
From: "Robert Collins" <robert DOT collins AT itdomain DOT com DOT au>
To: "John Peacock" <jpeacock AT rowman DOT com>,
   "Corinna Vinschen" <cygwin AT cygwin DOT com>
References: <FF503547C1F8D211BD2C0008C7C564010C9A492A AT exdkba06 DOT novo DOT dk> <3BC72151 DOT F11E6CB0 AT cportcorp DOT com> <20011013105919 DOT O1155 AT cygbert DOT vinschen DOT de> <3BC89445 DOT DEED628 AT rowman DOT com>
Subject: Re: rsh: "Permission denied" on file creation. Cygwin 1.3.3 on W2K Adv  Srv SP2.
Date: Mon, 15 Oct 2001 00:09:16 +1000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-OriginalArrivalTime: 14 Oct 2001 14:15:02.0343 (UTC) FILETIME=[9D568D70:01C154BA]

----- Original Message -----
From: "John Peacock" <jpeacock AT rowman DOT com>
To: "Corinna Vinschen" <cygwin AT cygwin DOT com>
Sent: Sunday, October 14, 2001 5:21 AM
Subject: Re: rsh: "Permission denied" on file creation. Cygwin 1.3.3 on
W2K Adv Srv SP2.


> Some of this may be caused by what I said in another e-mail.  Let
> me write out what my understanding of the SYSTEM account and you
> can correct me.
>
> 1) NT services need to have access to certain internal security
> attributes, such as "Act as Part of Operating system", "Create
> a token object" and "Replace a Token object."  System has these
> rights and more and is intended to be used for local NT services.

(Caveat: NT is quite flexible in design, I'm not sure that MS's default
services will work correctly if you change the privileges given to the
SYSTEM account...)

One of the headaches older NT versions have is that System *does* have
access to everything by default. And IIRC it is not possible under NT 4
and below to remove any of the privileges from the SYSTEM account.
Services running under System are therefore equivalent to daemons
running as root in unix. NT Services *DO NOT in general* need the
privileges you list above to operate. To perform specific tasks some
services do need such rights it's true, just not the general case (and
you are making a general statement).

> 2) SYSTEM does not have rights to any other machine; it is strictly
> a local account.  This means that it cannot use drive shares (even
> if they are public shares).

SYSTEM is quite capable of running a network sniffing password cracker!.
SYSTEM however cannot use the *integrated* authentication functions
(GSSAPI IIRC) to present credentials to another server. So local is a
rather relative term.

> 3) SYSTEM does not have rights, by itself, to any files on the local
> machine that are not public.  In other words, files owned by a
> specific user are not accessable to SYSTEM.  However, an NT service
> run under the SYSTEM account can impersonate any other local user
> account, if written that way, so the SYSTEM account can access local
> files in that fashion.

Not true, the default rights for NT on newly formatted partition are
Everyone:F. System is included there. If you deliberately setup an ACL
with SYSTEM not included, or SYSTEM denied, then a process running as
SYSTEM would have to use one of it's privileges as described by Corinna.

> Consequently, although SYSTEM is the usual account that is used by
> NT to run services, it is not strictly equivalent to root under *nix,

Sorry, it *is* strictly equivalent to root. It can do everything. Unlike
most *nix, NT has 'capabilities', and SYSTEM has the ability to turn on
more access than it gets be default - see Corinna's message. I suspect
that managing a capability based *nix, or a Mandatory Access Control
environment will be very similar to securing an NT machine to the hilt..

> Some Cygwin programs that can be run as services under NT will not
> work properly under SYSTEM, since they have not been written to
> impersonate users.

I don't see that: Impersonating a user is not a requirement per se of
being a service. For any program that has an interprocess comms path, be
it a unix socket, a fifo, or shared memory, it is designed to run as a
different user than the calling user. If it doesn't have such a comms
path, how can it run as a daemon at all?

Rob


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/