X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=D08Sn6Fnf76Z+rmV HeREXwBZVYwkGSqNMz4QicGhIVEaP52SvhJtQ1Blx7R+wgaKd/SXRcOZh5DL3s/H tBMPCAlQq2Xs+l34KJH9h9/gfuECNckz4Pm6ttRvRL9y5LVB9kci63JX/SvQNyJa Jbe6b++NkA39UwUb400DJDaFFuk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; s=default; bh=bCoobDF9fszIyiybCc+Evy /9tIQ=; b=EWmXdD6l2nkbgbkh8Nyd7mPR+bJyEVPCnUocZRWy30fcnR6fKBCmKn bnblsHLRKrBBtPpiEuPqcJJ6kCMA8Inqit6OA41Y+Lv/g+Oqiqaw8Oma0xIJzJbx mT0oZdZuFW+MDN70W4YbDX6CoRfalfrXr4h33KDKLe5J2WDhz0/MU= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=4.5 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: smtpback.ht-systems.ru Date: Sat, 2 Nov 2013 21:47:06 +0400 From: Andrey Repin Reply-To: Andrey Repin Message-ID: <1709690551.20131102214706@mtu-net.ru> To: "Brian S. Wilson" , cygwin AT cygwin DOT com Subject: Re: vi stealing SYSTEM-owned permissions and ownership In-Reply-To: References: <5274F396 DOT A133C4CE AT boland DOT nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Greetings, Brian S. Wilson! >> I'm a Linux teacher at a school for vocational education in the Netherlands. >> I use Cyqwin to help my students overcome their fear of the command line by >> showing them their Windows systems through the eyes of Linux. > ... >> After a chgrp and chmod on the entire Apache folder, the "conf" directory >> looks like this: >> >> drwxrwx---+ 1 SYSTEM apache 0 28 okt 20:43 . >> drwxrwx---+ 1 SYSTEM apache 0 2 nov 13:10 .. >> -rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf >> -rwxrwx---+ 1 SYSTEM apache 34770 7 okt 23:29 httpd.default.conf >> -rwxrwx---+ 1 SYSTEM apache 13340 3 okt 07:59 magic >> -rwxrwx---+ 1 SYSTEM apache 13340 21 nov 2004 magic.default >> -rwxrwx---+ 1 SYSTEM apache 54599 3 okt 07:59 mime.types >> -rwxrwx---+ 1 SYSTEM apache 54599 17 mrt 2012 mime.types.default >> -rwxrwx---+ 1 SYSTEM apache 9390 5 feb 2013 openssl.cnf >> -rwxrwx---+ 1 SYSTEM apache 11050 3 okt 07:59 ssl.conf >> -rwxrwx---+ 1 SYSTEM apache 11030 7 okt 23:29 ssl.default.conf >> >>My students can now administer Apache without running Cygwin "As > administrator". > Your statement may not be quite accurate. The Cygwin Apache instance > appears to be running as the "SYSTEM" user since that is the file owner, but > your students can administer the files because they are members of the > "apache" group. I can't really tell which user id is running your Apache > process because I don't know how you are actually starting the Apache > process. Most production Apache instances do not run as the "root" user > since this is a security risk. > If my guess about the Apache process owner is correct, please make your > students aware that if someone hacks their Cygwin Apache servers, the hacker > may gain the same user access rights as the user id actually running the > Apache process. The Apache process owner would normally be a unique user > account with no login or access privileges to protect the server from > successful attacks (just because your Apache files are owned by "SYSTEM", > Apache could be started under another, less privileged, user id for better > protection; but it is common practice to have the file owner also be the > user id that normally executes the file). It is common to see a "nobody" > user as the owner of Apache in production systems. > I've spent some time over several years trying to figure out how to get > Apache working as a "nobody" user under Cygwin. I've never succeeded in > getting it to work properly, and my comments to this board have not yielded > an answered. I don't think it is possible to make Apache work this way > under Cygwin, but your students should be made aware of this difference. > If anyone is aware of how to get Apache working using a restricted "nobody" > user id under Cygwin, please respond (or start a new thread). I can't imagine alot of reasons to not use native Windows Apache server, which is much better adapted for running in Windows security environment. -- WBR, Andrey Repin (anrdaemon AT yandex DOT ru) 02.11.2013, <21:44> Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple