This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Using native symlinks
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Thu, 30 May 2013 11:03:26 +0200
- Subject: Re: Using native symlinks
- References: <CAGHJv4ftSKS6wR-Uzd9Gfvowqpn-WCQ0U01NexgCpZaYqd-Tow at mail dot gmail dot com> <20130528185553 dot GA31309 at calimero dot vinschen dot de> <CAGHJv4fkvRt1gQfNTarHGUQWvdRxRsy=oAA=pjUQTLQFoNoW-g at mail dot gmail dot com> <20130529083910 dot GD31309 at calimero dot vinschen dot de> <CAGHJv4cUbx_sMCwUgzTd3ZaXVgbfgPt1Fs7pOO4UtwZhFFj-uA at mail dot gmail dot com> <20130529152339 dot GB4471 at calimero dot vinschen dot de> <CAGHJv4cKU_vHa7KddQ5dK_3dkj792A8X5Ps9njS_gBNEFWz63Q at mail dot gmail dot com> <20130529170147 dot GG4471 at calimero dot vinschen dot de> <CAGHJv4cms9Cg=VA0bFsqK_MvY1fhYbgQA2iOWRKxA=O0Z1FL1A at mail dot gmail dot com>
- Reply-to: cygwin at cygwin dot com
On May 29 20:43, Chris Sutcliffe wrote:
> On 29 May 2013 13:01, Corinna Vinschen wrote:
> > On May 29 12:40, Chris Sutcliffe wrote:
> >> On 29 May 2013 11:23, Corinna Vinschen wrote:
> >> > On May 29 10:33, Chris Sutcliffe wrote:
> >> >> On 29 May 2013 04:39, Corinna Vinschen wrote:
> >> > Also, either way, did you logoff and logon so that the "Create symbolic
> >> > links" user right can be added to your user token? Note that your token
> >> > remains unchanged if you didn't exit from your session. Just changing
> >> > the Policy isn't enough, the OS needs achance to create a new user token
> >> > for you containing the user right.
> >>
> >> I've rebooted the machine since making the change and it has had no
> >> affect. Is there something else I need to do?
> >
> > I don't know. I have to try (but not today). Did you try to add the
> > "Users" group to the Local Security Policy entry instead?
>
> I tried adding the "Users" group and it didn't help either.
I just tested it and can confirm it.
Try this: Start a login session of a normal user after adding the "Users"
group to the "Create symbolic links" right. Check the privileges
in the user token:
$ /cygdrive/c/Windows/System32/whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
On the other hand, in the same situation the UAC-crippled admins's token
does not contain the "Create symbolic links" right:
$ /cygdrive/c/Windows/System32/whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
I also changed the "Create symbolic links" policy so that the "Users"
group is the only group getting this right. In other words, I removed
the "Administrators" group entirely, logged off, logged on, and the
result was the same as above.
This is a bug in UAC if you ask me. It seems to remove privileges from
the UAC-crippled admin's token based on a fixed internal list, totally
ignorant of changes in the security policy.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple