X-Spam-Check-By: sourceware.org Date: Thu, 30 Nov 2006 10:04:41 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: backup privileges [was: [ANNOUNCEMENT] Updated: cygwin-1.5.22-1] Message-ID: <20061130090441.GA25001@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.2i Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Nov 29 21:53, Eric Blake wrote: > Corinna Vinschen cygwin.com> writes: > > - Always open files with backup/restore intent to emulate real "root" > > access. Fix access(2) accordingly. (corinna) > > This change has some interesting effects, and I think you did the right thing > by making access(2) reflect what open() is capable of. But now both the > findutils and coreutils testsuites report failures, where before this patch > they were passing, when the testsuite is run by a user in the Administrators > group. These failures are spurious, due to the fact that the testsuites are > making the (IMO unfounded) assumption that it should always be impossible to > read a file with mode 000. The coreutils testsuite, at least, recognizes the > importance of checking in advance which tests of the testsuite must be skipped > when run by root/non-root entities due to the different semantics that > privileges outside of the ACL scheme can provide, but obviously did not catch > all the cases. But it took me a while to realize that these were testsuite > bugs and not program bugs. So the testsuites also fail when running on Linux under root? Or do they check for uid 0? > But it does beg the question of whether it should be configurable whether a > user WANTS to use backup privileges to bypass ACLs. It seems like cygwin is > very often installed by users that happen to have Administrator privileges, but > who don't know any better that they must be careful (in particular, think of > home users). For the same reasons that you don't normally run as root on > Linux, even when you know the root password, you shouldn't normally be allowing Which gives us a lesson known for ages. Don't run under admin privileges, except you have to. By allowing an admin user everything which an admin user has the right to do, Cygwin is not different then when running under root on Linux. And, probably I'll get shot down for saying that, Cygwin is not intended for users who don't know what they are doing. There are other tools out there which happen to serve that target audience well. Btw., when running under Vista, a default shell for the administrator will run under a reduced privilege set which does not contain backup and restore rights. That's exactly what you're asking for without having to add another flag to Cygwin. This does not help when you run the shell with full privilege set of course, which is still quite easy to accomplish. So, for all OSes, even for Vista, the answer is what every good doctor will tell you: "Don't do that then." Corinna P.S.: In good old "root"-user tradition, I'm about to check in a change which also allows admin users to chdir into directories which have strict permissions set. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/