X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-2.1 required=5.0 	tests=AWL,BAYES_00,SPF_PASS
X-Spam-Check-By: sourceware.org
Message-ID: <4ADA0984.7080703@columbus.rr.com>
Date: Sat, 17 Oct 2009 14:14:28 -0400
From: Paul McFerrin <pmcferrin AT columbus DOT rr DOT com>
Reply-To: pmcferrin AT columbus DOT rr DOT com
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: How to deny directory-access for one dedicated user
References: <hb2bil$o3s$1 AT ger DOT gmane DOT org> <416096c60910131027g3df5021ei9b15ab5067353ce0 AT mail DOT gmail DOT com> <4AD4D5FB DOT 4000906 AT gmail DOT com> <hbcd9m$l73$1 AT ger DOT gmane DOT org> <4AD9EB0E DOT 80601 AT gmail DOT com>
In-Reply-To: <4AD9EB0E.80601@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

I agree with Dave with trying to deny access to a particular user under 
cygwin.  The support is not there.  I will touch on an actual feature 
that provides this capability.
Under Amdahl UTS Unix, e.g. SVR3 like, there was feature that relied on 
the proper implementation of the chroot(2) system call.  You can give 
the restricted user his own login space and make available certain other 
filesystems mounted for the restricted to give him/her what they 
actually  allowed to have access to, and no more.  Login was modified to 
look for a "*" in the password field to signify a sub-login with the 
passwd home directory as the argument to execute the chroot(2) system 
call and thereby execute login again under the new chroot.
In order for this to be effective, one must execute caution in setting 
up this painful and elaborate work in achieving the desired environment 
for the restricted user.  Without a real chroot(2) syscall, it really 
can't be done.

Cygwin as it stands today can't provide a true restricted environment if 
it provides general access to hard (C:/pathnames/) drives.  Unless the 
PC itself is restrictive (limited networking).

The above is my personal opinion on this subject and does not reflect  
management views.

Dave Korn wrote:
> Matthias Meyer wrote:
>
>   
>> How to solve my goal?
>> The user "backup" should backup all data but not certain directories.
>>     
>
>   It cannot be done.  Your two requirements amount to:
>
> 1- I want the backup user to be able to access all files and directories
> without restriction.
> 2- I want the backup user to be restricted from accessing certain files and
> directories.
>
>   As a matter of plain logic, these requirements just cannot both be satisfied
> simultaneously in the same universe!  There is no means to give the backup
> user privileges to access only-some-but-not-all of the files that the ACLs say
> it should not have access to, because it would essentially require an entire
> second level of ACLs on every file in the system to keep track of which files
> the backup privilege gave access to and which files it did not.
>
>     cheers,
>       DaveK
>
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>
>   

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple