Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Mon, 18 Nov 2002 23:53:44 -0500
From: "Pierre A. Humblet" <pierre DOT humblet AT ieee DOT org>
To: cygwin AT cygwin DOT com
Subject: Re: .rhosts on W2K w/o ntsec
Message-ID: <20021119045343.GA37343375@HPN5170X>
References: <3DD8B7F3 DOT 6070100 AT csgsystems DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3DD8B7F3.6070100@csgsystems.com>
User-Agent: Mutt/1.4i

On Mon, Nov 18, 2002 at 10:50:43AM +0100, Christian Mueller wrote:
> 
> Unless, of course, I turn ntsec off again as soon as ruserok() has 
> completed. The only way to do this would be in /etc/profile. Is this 
> safe, i.e. will Cygwin see the environment changing and turn off ntsec 
> for *all* subsequent syscalls and processes, even after forking, 
> setting new userids, ....?
What do you mean "setting new userids"? It is safe to turn ntsec off in
the /etc/profile or ~/.bash_profile sourced by the login shell. Of course 
the login shell itself will still have ntsec on, so it needs to reexec 
itself after turning ntsec off.
  
> Another problem would be that other services which don't start shells 
> such as the IPC daemon, apache, etc. would end up using ntsec.
Not sure if that's really a problem. At any rate that can be controlled with
the -e argument of cygrunsrv, but I don't know what will happen in each case.
  
> Wouldn't it be a good idea to store uid and gid in the extended 
> attributes as well and use them if ntsec is turned off? At least for 
> me this would be the perfect solution....
They are, of course, but Cygwin does not report them when ntsec is off.
Changing that behavior would probably hurt other users. Asking for a special
"cmueller" field to CYGWIN is unlikely to yield a positive reply.

I have reread your original e-mail and I don't fully understand why nontsec helps
you. The reasons you give are not compelling. Even with nontsec, the files you 
create are not owned by Administrators. Also, the directories created by Cygwin 
with ntsec do have inheritance turned on. In fact that inheritance determines the 
ACL of files created by Cygwin when ntsec is off, and also the ACL created by most 
Windows applications. Incidentally you can display these "stupid permissions" with
getfacl and change them with setfacl, so you could add Administrators if needed.
Is your group Administrators? If not, wouldn't it help to change it to that?

Pierre

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/