This is the mail archive of the
cygwin-developers@sourceware.cygnus.com
mailing list for the Cygwin project.
ntsec: patch 9
- To: Chris Faylor <cgf@cygnus.com>
- Subject: ntsec: patch 9
- From: Corinna Vinschen <corinna@vinschen.de>
- Date: Wed, 04 Aug 1999 12:09:20 +0200
- CC: cygdev <cygwin-developers@sourceware.cygnus.com>
Hi!
I have patched security once again. The worst thing was a free() on
stack memory (Puh!).
ChangeLog:
==========
Thu Aug 4 10:28:00 Corinna Vinschen <corinna@vinschen.de>
* security.cc: Erased MALLOC_CHECK calls.
(lookup_name): New function simplifies the retrieval of user
and group names.
(alloc_sd): Calls `lookup_name' instead of `LookupAccountName'.
`system' gets no special permissions to files anymore.
`administrators' only get restricted permissions instead of
full access.
ACEs are generated only if the permissions are != 0 for that
user/group/other.
* shared.cc (sec_user): Calls `lookup_name' instead of
`LookupAccountName'.
'free`-call on stack space eliminated.
* winsup.h: Declaration for `lookup_name'.
* doc/ntsec.sgml: Adapted.
The permissions to administrators are restricted to the following:
read permissions
take ownership
This behaviour corresponds better to the typical WinNT settings:
No admin should have the right to change my files. Only actions
are allowed where there remains a fingerprint of the `evil-doer'.
A special case is, if I'm logged in as a user with administrators
as primary group. The settings should give more permissions to
the other admins to support better the typical behaviour of NT:
As you know, if one is member of admin group, all her files
are owned by the group instead of by her. This is not the case
with ntsec but the other admins should have easier access to the
administrative files. So in this case the admin group gets the
following permissions:
read permissions
write permissions
write owner
write ea
also in the case, where group permissions are set to 0.
Caution: The primary group is taken from passwd file (as before).
This is more convenient on workstations outside of domains because
the primary NT group is None (513) for each user, including
administrator (500), too. This can only be changed in NT domains.
Best Regards,
Corinna
ntsec-patch9.bz2