Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
To: cygwin AT cygwin DOT com
X-Injected-Via-Gmane: http://gmane.org/
Path: not-for-mail
From: Jehan <nahor AT bravobrava DOT com>
Newsgroups: gmane.os.cygwin
Subject: Re: Permission denied on a windows share
Date: Mon, 15 Jul 2002 09:04:39 -0700
Lines: 42
Message-ID: <3D32F297.9060207@bravobrava.com>
References: <5 DOT 1 DOT 0 DOT 14 DOT 2 DOT 20020713194509 DOT 02bb9210 AT pop3 DOT cris DOT com> <5 DOT 1 DOT 0 DOT 14 DOT 2 DOT 20020713204337 DOT 02acf938 AT pop3 DOT cris DOT com> <5 DOT 1 DOT 0 DOT 14 DOT 2 DOT 20020713220237 DOT 02acf568 AT pop3 DOT cris DOT com> <5 DOT 1 DOT 0 DOT 14 DOT 2 DOT 20020714200721 DOT 02c7b328 AT pop3 DOT cris DOT com>
NNTP-Posting-Host: adsl-64-168-83-170.dsl.snfc21.pacbell.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: main.gmane.org 1026749078 14460 64.168.83.170 (15 Jul 2002 16:04:38 GMT)
X-Complaints-To: usenet AT main DOT gmane DOT org
NNTP-Posting-Date: Mon, 15 Jul 2002 16:04:38 +0000 (UTC)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1a+) Gecko/20020708
X-Accept-Language: en-us, en

Randall R Schulz wrote:
> Have you read the Cygwin documents regarding file modes / permissions 
> and how they relate to Windows permissions?

Yes I did.


> If the mapping from Windows permissions to POSIX-style file modes says 
> the file is inaccessible, Cygwin must deny the program access even if 
> Windows would allow it. You've asked Cygwin to do that be enabling "ntsec."

If this is true, then I don't understand Corinna's talk about "The 
mapping leak". If in then end, cygwin does its own checking, why bother 
with Windows security if the mapping is flawed anyway? If the answer is 
"because it works well most of the time", then this gives a false sense 
of security. If some administrator tries to open a file under a specific 
username for testing (like "guest") and gets a permission denied, he 
will think "good, my security works, this user can't access the file". 
Now the user logs in with his notepad and "oooh, wonderful, I can edit 
the sshd conf or inetd.conf".  Ok, this is a little farfetch because 
which administrator would write config file owned by Guest on a domains 
account? But the idea is there.
So the question is: if I can edit a file with Windows application, 
what's the point in having more restrictions with cygwin? If cygwin was 
running in a "sand-box" (I think it's the term :p), then ok. But since 
cygwin application are normal Windows application with added features, 
nothing keeps a cygwin trojan to run a notepad and edit the file it 
couldn't edit otherwise.


> The bottom line is that a POSIX-style file mode is inherently and 
> ineluctably an imperfect reflection of the essential Windows permissions.
> 
> You must live with the discrepancy.

As long as the discrepancy make sense to me, I'm fine. And despite all 
your effort, it still doesn't. The good news is that Corinna also thinks 
there is a bug. So I'm glad to be a little stubborn (if not tickheaded) 
on that matter :)

	Jehan




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/