X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=yERkrHaiweKaEDr3X1m+7LxVHsUPRGMTtxNiqFSuiFJtOiN9USrdd
	469+HAeJnlTI6u10iQDXiHfQQXRD8ryVuYEWiUQXCe90c1wu3tV634IGDYG0dIcY
	tb+9cO+MSCtCQYNffGyPn252iNsQaY+gFm3gGQBpfmIE5gtAZt17Vo=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=vg6F9g0ib9dJcLaUI+XwsTX1llw=; b=odvSoI9BmLr5RXpMgkSlXpGonglH
	qExJtrg6UJF4kDwOmuBOz5MmSwjApXOKKOZsGIsQJ6lsIv3bywAN9yHOsQ0vgs0w
	CV+tDen0twBw6M7WQyxxPvMAiQdqYVsbEEB/z6dGBKBnFV3OjGdzgfGJfTOva6wa
	kgzTSbUf5AKy270=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Spam-SWARE-Status: No, score=-1.1 required=5.0 tests=AWL,BAYES_05 autolearn=ham version=3.3.1
Date: Thu, 30 May 2013 11:03:26 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Using native symlinks
Message-ID: <20130530090326.GJ4471@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <CAGHJv4ftSKS6wR-Uzd9Gfvowqpn-WCQ0U01NexgCpZaYqd-Tow AT mail DOT gmail DOT com> <20130528185553 DOT GA31309 AT calimero DOT vinschen DOT de> <CAGHJv4fkvRt1gQfNTarHGUQWvdRxRsy=oAA=pjUQTLQFoNoW-g AT mail DOT gmail DOT com> <20130529083910 DOT GD31309 AT calimero DOT vinschen DOT de> <CAGHJv4cUbx_sMCwUgzTd3ZaXVgbfgPt1Fs7pOO4UtwZhFFj-uA AT mail DOT gmail DOT com> <20130529152339 DOT GB4471 AT calimero DOT vinschen DOT de> <CAGHJv4cKU_vHa7KddQ5dK_3dkj792A8X5Ps9njS_gBNEFWz63Q AT mail DOT gmail DOT com> <20130529170147 DOT GG4471 AT calimero DOT vinschen DOT de> <CAGHJv4cms9Cg=VA0bFsqK_MvY1fhYbgQA2iOWRKxA=O0Z1FL1A AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CAGHJv4cms9Cg=VA0bFsqK_MvY1fhYbgQA2iOWRKxA=O0Z1FL1A@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)

On May 29 20:43, Chris Sutcliffe wrote:
> On 29 May 2013 13:01, Corinna Vinschen wrote:
> > On May 29 12:40, Chris Sutcliffe wrote:
> >> On 29 May 2013 11:23, Corinna Vinschen wrote:
> >> > On May 29 10:33, Chris Sutcliffe wrote:
> >> >> On 29 May 2013 04:39, Corinna Vinschen wrote:
> >> > Also, either way, did you logoff and logon so that the "Create symbolic
> >> > links" user right can be added to your user token?  Note that your token
> >> > remains unchanged if you didn't exit from your session.  Just changing
> >> > the Policy isn't enough, the OS needs achance to create a new user token
> >> > for you containing the user right.
> >>
> >> I've rebooted the machine since making the change and it has had no
> >> affect.  Is there something else I need to do?
> >
> > I don't know.  I have to try (but not today).  Did you try to add the
> > "Users" group to the Local Security Policy entry instead?
> 
> I tried adding the "Users" group and it didn't help either.

I just tested it and can confirm it.

Try this: Start a login session of a normal user after adding the "Users"
group to the "Create symbolic links" right.  Check the privileges
in the user token:

  $ /cygdrive/c/Windows/System32/whoami /priv

  PRIVILEGES INFORMATION
  ----------------------

  Privilege Name                Description                          State
  ============================= ==================================== ========
  SeShutdownPrivilege           Shut down the system                 Disabled
  SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
  SeUndockPrivilege             Remove computer from docking station Disabled
  SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
  SeTimeZonePrivilege           Change the time zone                 Disabled
  SeCreateSymbolicLinkPrivilege Create symbolic links                Disabled

On the other hand, in the same situation the UAC-crippled admins's token
does not contain the "Create symbolic links" right:

  $ /cygdrive/c/Windows/System32/whoami /priv

  PRIVILEGES INFORMATION
  ----------------------

  Privilege Name                Description                          State
  ============================= ==================================== ========
  SeShutdownPrivilege           Shut down the system                 Disabled
  SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
  SeUndockPrivilege             Remove computer from docking station Disabled
  SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
  SeTimeZonePrivilege           Change the time zone                 Disabled

I also changed the "Create symbolic links" policy so that the "Users"
group is the only group getting this right.  In other words, I removed
the "Administrators" group entirely, logged off, logged on, and the
result was the same as above.

This is a bug in UAC if you ask me.  It seems to remove privileges from
the UAC-crippled admin's token based on a fixed internal list, totally
ignorant of changes in the security policy.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple