X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=D08Sn6Fnf76Z+rmV
	HeREXwBZVYwkGSqNMz4QicGhIVEaP52SvhJtQ1Blx7R+wgaKd/SXRcOZh5DL3s/H
	tBMPCAlQq2Xs+l34KJH9h9/gfuECNckz4Pm6ttRvRL9y5LVB9kci63JX/SvQNyJa
	Jbe6b++NkA39UwUb400DJDaFFuk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; s=default; bh=bCoobDF9fszIyiybCc+Evy
	/9tIQ=; b=EWmXdD6l2nkbgbkh8Nyd7mPR+bJyEVPCnUocZRWy30fcnR6fKBCmKn
	bnblsHLRKrBBtPpiEuPqcJJ6kCMA8Inqit6OA41Y+Lv/g+Oqiqaw8Oma0xIJzJbx
	mT0oZdZuFW+MDN70W4YbDX6CoRfalfrXr4h33KDKLe5J2WDhz0/MU=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=4.5 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2
X-HELO: smtpback.ht-systems.ru
Date: Sat, 2 Nov 2013 21:47:06 +0400
From: Andrey Repin <anrdaemon AT yandex DOT ru>
Reply-To: Andrey Repin <cygwin AT cygwin DOT com>
Message-ID: <1709690551.20131102214706@mtu-net.ru>
To: "Brian S. Wilson" <wilson AT ds DOT net>, cygwin AT cygwin DOT com
Subject: Re: vi stealing SYSTEM-owned permissions and ownership
In-Reply-To: <D7F32E9AFFD647458EB73E4ECBC03F3E@NCC1701>
References: <5274F396 DOT A133C4CE AT boland DOT nl> <D7F32E9AFFD647458EB73E4ECBC03F3E AT NCC1701>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

Greetings, Brian S. Wilson!

>> I'm a Linux teacher at a school for vocational education in the Netherlands.
>> I use Cyqwin to help my students overcome their fear of the command line by
>> showing them their Windows systems through the eyes of Linux.
> ...
>> After a chgrp and chmod on the entire Apache folder, the "conf" directory
>> looks like this: 
>>
>> drwxrwx---+ 1 SYSTEM apache     0 28 okt 20:43 .
>> drwxrwx---+ 1 SYSTEM apache     0  2 nov 13:10 ..
>> -rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf
>> -rwxrwx---+ 1 SYSTEM apache 34770  7 okt 23:29 httpd.default.conf
>> -rwxrwx---+ 1 SYSTEM apache 13340  3 okt 07:59 magic
>> -rwxrwx---+ 1 SYSTEM apache 13340 21 nov  2004 magic.default
>> -rwxrwx---+ 1 SYSTEM apache 54599  3 okt 07:59 mime.types
>> -rwxrwx---+ 1 SYSTEM apache 54599 17 mrt  2012 mime.types.default
>> -rwxrwx---+ 1 SYSTEM apache  9390  5 feb  2013 openssl.cnf
>> -rwxrwx---+ 1 SYSTEM apache 11050  3 okt 07:59 ssl.conf
>> -rwxrwx---+ 1 SYSTEM apache 11030  7 okt 23:29 ssl.default.conf
>> 
>>My students can now administer Apache without running Cygwin "As
> administrator".

> Your statement may not be quite accurate.  The Cygwin Apache instance
> appears to be running as the "SYSTEM" user since that is the file owner, but
> your students can administer the files because they are members of the
> "apache" group.  I can't really tell which user id is running your Apache
> process because I don't know how you are actually starting the Apache
> process.  Most production Apache instances do not run as the "root" user
> since this is a security risk.

> If my guess about the Apache process owner is correct, please make your
> students aware that if someone hacks their Cygwin Apache servers, the hacker
> may gain the same user access rights as the user id actually running the
> Apache process.  The Apache process owner would normally be a unique user
> account with no login or access privileges to protect the server from
> successful attacks (just because your Apache files are owned by "SYSTEM",
> Apache could be started under another, less privileged, user id for better
> protection; but it is common practice to have the file owner also be the
> user id that normally executes the file).  It is common to see a "nobody"
> user as the owner of Apache in production systems.

> I've spent some time over several years trying to figure out how to get
> Apache working as a "nobody" user under Cygwin.  I've never succeeded in
> getting it to work properly, and my comments to this board have not yielded
> an answered.  I don't think it is possible to make Apache work this way
> under Cygwin, but your students should be made aware of this difference.

> If anyone is aware of how to get Apache working using a restricted "nobody"
> user id under Cygwin, please respond (or start a new thread).

I can't imagine alot of reasons to not use native Windows Apache server, which
is much better adapted for running in Windows security environment.


--
WBR,
Andrey Repin (anrdaemon AT yandex DOT ru) 02.11.2013, <21:44>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple