X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=L95UdGJKv9aCP9ZD zxHNeHNzPDPQ5PZChdGasxv9YR0sw4sXGvSUmf4g5vtyRo1rIllj5rXEMOSXCzbx l8PYMIr2rZrrromJ65X1G7DuMlbnMrcTMRjZ7jbNsVG0hjKi39RxjPl5SBtvlLk7 MTjKAqdt2oBDr4ETf/6t7upbECo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; s=default; bh=BoVtBqkx3xaXzrbT5h876B nVJiM=; b=SMpzRxhmslGntuxS9kp4VpYE+ENUo9S5AYCk9G04qz2/VFCQZ0fj2v ZQZDb5uZ0PqOmCBy9X+5xaO876+dLvZzxdQT12v6ZR3VzGsDQDqJiF4ugUK6JO/z 0sOMWr7+OGKI9O8HHganGj7z49Z1EKtW7FnyZB7li+DP/39BYnAE8= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.8 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_FROM_URIBL_PCCC,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: smtp.ht-systems.ru Date: Tue, 31 Mar 2015 23:55:03 +0300 From: Andrey Repin Reply-To: cygwin AT cygwin DOT com Message-ID: <1837571490.20150331235503@yandex.ru> To: Eliot Moss , cygwin AT cygwin DOT com Subject: Re: More about permissions In-Reply-To: <551A9149.4020408@cs.umass.edu> References: <551A13D8 DOT 1030701 AT cs DOT umass DOT edu> <20150331101534 DOT GE32403 AT calimero DOT vinschen DOT de> <551A9149 DOT 4020408 AT cs DOT umass DOT edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Greetings, Eliot Moss! >> Why does SYSTEM need full access to the files? If it's a backup tool, >> it has SE_BACKUP_NAME/SE_RESTORE_NAME access anyway. Every tool with >> Administrators in the token has the right to enable these access rights >> anyway. > I am not sure this particular program (CrashPlan) works that way. That's not program property, but the user you run the program from. > I suppose that I am seeing SYSTEM as the moral equivalent of root in > POSIX. In POSIX, root can access anything, and I don't believes ACLs > can lock it out. I agree that Windows does not really have the concept > of a single 'root'. Administrators is close, but the various aspects > of root are split up in different ways. We're not going to get a > perfect mapping. I think i've explained it earlir, but here's it again: In POSIX model, root have implicit permissions. In Windows model, there NO implicit permissions at all. Everything should be explicitly assigned. I.e. SeBackupRestore privilege. If you deny SYSTEM access to a file, OS will not be able to do anything about it. Been there, blocked changes to cmd.exe when I was experimenting with 4NT. (And cmd.exe was in fact renamed 4nt.exe.) None of the Windows autotools were able to get around it. > Maybe what I am looking for is something like this: > - Certain Windows accounts/groups would be treated as 'root' for cygwin's > purposes, perhaps controlled by a list in a file read when cygwin starts up. The list would be very short. "NT AUTHORITY\SYSTEM". -- With best regards, Andrey Repin Tuesday, March 31, 2015 23:48:58 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple