This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Permission denied on a windows share


Randall R Schulz wrote:
Have you read the Cygwin documents regarding file modes / permissions and how they relate to Windows permissions?
Yes I did.


If the mapping from Windows permissions to POSIX-style file modes says the file is inaccessible, Cygwin must deny the program access even if Windows would allow it. You've asked Cygwin to do that be enabling "ntsec."
If this is true, then I don't understand Corinna's talk about "The mapping leak". If in then end, cygwin does its own checking, why bother with Windows security if the mapping is flawed anyway? If the answer is "because it works well most of the time", then this gives a false sense of security. If some administrator tries to open a file under a specific username for testing (like "guest") and gets a permission denied, he will think "good, my security works, this user can't access the file". Now the user logs in with his notepad and "oooh, wonderful, I can edit the sshd conf or inetd.conf". Ok, this is a little farfetch because which administrator would write config file owned by Guest on a domains account? But the idea is there.
So the question is: if I can edit a file with Windows application, what's the point in having more restrictions with cygwin? If cygwin was running in a "sand-box" (I think it's the term :p), then ok. But since cygwin application are normal Windows application with added features, nothing keeps a cygwin trojan to run a notepad and edit the file it couldn't edit otherwise.


The bottom line is that a POSIX-style file mode is inherently and ineluctably an imperfect reflection of the essential Windows permissions.

You must live with the discrepancy.
As long as the discrepancy make sense to me, I'm fine. And despite all your effort, it still doesn't. The good news is that Corinna also thinks there is a bug. So I'm glad to be a little stubborn (if not tickheaded) on that matter :)

Jehan




--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]