X-Spam-Check-By: sourceware.org
Message-ID: <43CE85E4.DEA7B330@dessent.net>
Date: Wed, 18 Jan 2006 10:16:04 -0800
From: Brian Dessent <brian AT dessent DOT net>
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Wich privileges required by ssh-host-config running user?
References: <SERRANOP9ww1WySvX5w000001bc AT SERRANO DOT CAM DOT ARTIMI DOT COM>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Reply-To: cygwin AT cygwin DOT com
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Dave Korn wrote:

> > I'm not sure that power users have the ability to change ownership in
> > this way..
> 
>   Actually, I'm not sure either.  If "Power Users" isn't enough, it would need
> to be a local admin.

This discussion reminds me of an article I read recently:

http://www.microsoft.com/technet/community/columns/secmgmt/sm1105.mspx

"For many years it has been fashionable to perform blanket replacement
of ACLs to "secure" the system. For instance, if you look at the ACL on
the %systemdrive%\boot.ini it contains an ACE for Power Users. Many
people believe that if you simply remove all the ACEs for Power Users,
you have effectively contained that group. This is not true. There is a
very simple fact about Power Users that you need to be aware of:

Power Users are administrators who simply have not made themselves
administrators yet.

You cannot remove the ACLs on the file system, or even the registry, and
prevent that. Power Users are ingrained in the operating system, and
they have sufficient privileges to escalate to an administrator fairly
easily. You cannot use Power Users to contain untrusted users. It is
only meant to keep well meaning users from hurting themselves and the
operating system accidentally. Nevertheless, many organizations have
policies to attempt to limit Power Users by performing blanket DACL
replacement. The same types of policies are commonly found to replace
the Everyone group with Authenticated Users or Domain Users, which we
cover below. Unfortunately, attempts to perform blanket DACL replacement
often have disastrous effects. "

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/