Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Reply-To: Cygwin List <cygwin AT cygwin DOT com>
Message-Id: <5.1.0.14.0.20030922180938.02f0d300@127.0.0.1>
X-Sender: 
Date: Mon, 22 Sep 2003 18:27:33 -0400
To: "Chris Rodgers" <cygwin AT bulk DOT rodgers DOT org DOT uk>, <cygwin AT cygwin DOT com>
From: Larry Hall <cygwin-lh AT cygwin DOT com>
Subject: Re: ntsec: changing the everyone user
In-Reply-To: <050e01c3814f$bd8511c0$ac3e4381@chrismob>
References: <5 DOT 1 DOT 0 DOT 14 DOT 0 DOT 20030915104435 DOT 027cf828 AT 127 DOT 0 DOT 0 DOT 1>
 <04ce01c37ba7$5b1e67a0$a500000a AT chrismob>
 <20030915171438 DOT GK9981 AT cygbert DOT vinschen DOT de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

At 05:23 PM 9/22/2003, Chris Rodgers you wrote:
>> On Mon, Sep 15, 2003 at 05:35:20PM +0100, Chris Rodgers wrote:
>> > OK. Here is an example of the way permissions leak out to "Everyone". I
>> > create a new file, with no permissions granted to "other". Cygwin shows
>this
>> > to have worked OK. Yet in actual fact there is an ACL there giving
>Everyone
>> > some access rights. I usually choose not to have "Everyone" authorised
>to do
>> > anything on my Windows NT/2000 boxes, using Authorised Users instead.
>This
>> > way, without a valid login, you cannot get any information, including
>> > usernames and ACLs.
>> >
>> > How can I stop cygwin setting these ACLs?
>>
>> Did you have a close look to the access rights granted to everyone?
>> Otherwise, just don't use ntsec.
>>
>> Corinna
>>
>> > [...]
>> >                 Everyone:(special access:)
>> >                          READ_CONTROL
>> >                          FILE_READ_EA
>> >                          FILE_READ_ATTRIBUTES
>>
>
>For the archives (NOT for release :-)), I think that a quick hack is to
>redefine well_known_world_sid in src/winsup/cygwin/sec_helper.cc to be
>"S-1-5-11" instead of "S-1-1-0". This refers to the "Authorized Users"
>well-known group, instead of to "Everyone".


Glad you found a resolution to this for your own needs but I have to say
I'm with Corinna.  I don't see how giving everyone read access to the 
security descriptor/attributes/extended attributes is a problem.  The 
file still can't be accessed unless that information says that it can 
for the current user.


--
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746                     


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/