X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding
	:reply-to; q=dns; s=default; b=CzXqnIDPEj+7KlQ3awkfEIqRJiZcv2IfV
	aEldAei+HrR+VdQMhOZD5eKrk9JF2q+4qTTR440c88A8zKxZGxR3E+B09g+++OCH
	NxWBmKcAfabfyYFJqLwLQxtFMkeqSBzkcplF8mBWpFal1ihdLbBZ8SKWCIraaL1e
	UF1s74BuAs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding
	:reply-to; s=default; bh=AQlU7YbNb9zD3h3Zf8yK3xfveE4=; b=XVkIFel
	4M/AkeNCiW6yBNZSd4pE3eLC+Ati6lBM+nalOQwc1fbBP+IcpYL1Z5d8qIjaQkR4
	YmR/5Gs4cD7pbewF89EOws0npC1p044ZCJ1PW9fAyIGhGHU9gLfQIzNmR0G4TzmV
	8SHT4M8r+YBzyY/T2WmQSmf3w6BkaNpYlUFY=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Spam-SWARE-Status: No, score=-1.2 required=5.0 tests=AWL,BAYES_50,KHOP_THREADED autolearn=ham version=3.3.1
X-MDAV-Result: clean
X-MDAV-Processed: mail.secure-endpoints.com, Thu, 30 May 2013 09:28:26 -0400
X-Spam-Processed: mail.secure-endpoints.com, Thu, 30 May 2013 09:28:25 -0400	(not processed: message from trusted or authenticated source)
X-Return-Path: jaltman AT openafs DOT org
X-Envelope-From: jaltman AT openafs DOT org
X-MDaemon-Deliver-To: cygwin AT cygwin DOT com
Message-ID: <51A753F8.90005@openafs.org>
Date: Thu, 30 May 2013 09:28:24 -0400
From: Jeffrey Altman <jaltman AT openafs DOT org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Using native symlinks
References: <CAGHJv4ftSKS6wR-Uzd9Gfvowqpn-WCQ0U01NexgCpZaYqd-Tow AT mail DOT gmail DOT com> <20130528185553 DOT GA31309 AT calimero DOT vinschen DOT de> <CAGHJv4fkvRt1gQfNTarHGUQWvdRxRsy=oAA=pjUQTLQFoNoW-g AT mail DOT gmail DOT com> <20130529083910 DOT GD31309 AT calimero DOT vinschen DOT de> <CAGHJv4cUbx_sMCwUgzTd3ZaXVgbfgPt1Fs7pOO4UtwZhFFj-uA AT mail DOT gmail DOT com> <20130529152339 DOT GB4471 AT calimero DOT vinschen DOT de> <CAGHJv4cKU_vHa7KddQ5dK_3dkj792A8X5Ps9njS_gBNEFWz63Q AT mail DOT gmail DOT com> <20130529170147 DOT GG4471 AT calimero DOT vinschen DOT de> <CAGHJv4cms9Cg=VA0bFsqK_MvY1fhYbgQA2iOWRKxA=O0Z1FL1A AT mail DOT gmail DOT com> <20130530090326 DOT GJ4471 AT calimero DOT vinschen DOT de>
In-Reply-To: <20130530090326.GJ4471@calimero.vinschen.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Reply-To: jaltman AT openafs DOT org

On 5/30/2013 5:03 AM, Corinna Vinschen wrote:

> On the other hand, in the same situation the UAC-crippled admins's token
> does not contain the "Create symbolic links" right:
> 
>   $ /cygdrive/c/Windows/System32/whoami /priv
> 
>   PRIVILEGES INFORMATION
>   ----------------------
> 
>   Privilege Name                Description                          State
>   ============================= ==================================== ========
>   SeShutdownPrivilege           Shut down the system                 Disabled
>   SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
>   SeUndockPrivilege             Remove computer from docking station Disabled
>   SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
>   SeTimeZonePrivilege           Change the time zone                 Disabled
> 
> I also changed the "Create symbolic links" policy so that the "Users"
> group is the only group getting this right.  In other words, I removed
> the "Administrators" group entirely, logged off, logged on, and the
> result was the same as above.
> 
> This is a bug in UAC if you ask me.  It seems to remove privileges from
> the UAC-crippled admin's token based on a fixed internal list, totally
> ignorant of changes in the security policy.

This is a design flaw but it is working as documented.   Administrators have
SeCreateSymbolicLinkPrivilege by default so UAC removes it.   What UAC
should
do in my opinion is not remove a static list of permissions but only
remove those permissions that are not granted to standard users.

If your organization is a user of native symlinks and you have a support
agreement with Microsoft, I recommend filing a support request to have
this behavior changed.

Jeffrey Altman



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple