Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
From: "Dan Vasaru" <dvasaru AT broadpark DOT no>
To: <cygwin AT cygwin DOT com>
Subject: RE: [Proposal] Moving user mount information to HKLM
Date: Fri, 27 Sep 2002 19:43:48 +0200
Message-ID: <CHEDKHJJDLOCCOFLMGEAIEMKCMAA.dvasaru@broadpark.no>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
In-Reply-To: <1033138655.22922.312.camel@lifelesswks>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal

Robert,

>FWIW the HKLM user mounts would have the same security
>ramification (which is why it's not a generically viable solution).

True, but one could fine-tune access rights to "HKLM/Software/Cygwin" such
that:

1) All users have "Create subkey" permission in "HKLM/...../Cygwin/Users".
2) All user specific information goes under a "Cygwin/Users/{SID}" subkey.
In addition to the default rights for local admin etc,  full access must be
granted to {SID}.

This would ensure that whoever is authorized to login would be able to
execute mount commands. Note that all keys down to "Users" need to be opened
for READ access only, otherwise RegOpenKey will fail with permission denied.

On another note, how about adding a flag to "mount" telling it that the
mount is NOT to be persisted, in a similar fashion to the "net use
/persistent:no"  command ? This would bypass the need to write to the
registry and unmount on exit.


Thanks again,
	Dan.

PS. For the archives:

Problem:

The mount -u command fails if a domain user's registry hive is not
downloaded from the domain controller and no local hive cache exists.

Current workaround:

Our best workaround is to give all potential users FullControl permissions
to the "HKLM/Software" key, and mount everything as a system mount. The
security risks are that any user can modify/change/delete all registry
information under HKLM/Software.
There's a limit of about 25 mounts that can be created this way before
hitting a built-in limit of maximum 30 mount points per system+user.

Restricting write access to the "HKLM.../cygwin/mounts v2" subkey will still
result in a "Permission denied", since cygwin 1.3.12-2 tries to open all
HKLM keys (down to "HKLM/Software..../mounts v2") with write access.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/