This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: More about permissions
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Eliot Moss <moss at cs dot umass dot edu>, cygwin at cygwin dot com
- Date: Wed, 1 Apr 2015 03:52:40 +0300
- Subject: Re: More about permissions
- Authentication-results: sourceware.org; auth=none
- References: <551A13D8 dot 1030701 at cs dot umass dot edu> <20150331101534 dot GE32403 at calimero dot vinschen dot de> <551A9149 dot 4020408 at cs dot umass dot edu> <1837571490 dot 20150331235503 at yandex dot ru> <551B3EA8 dot 4050607 at cs dot umass dot edu>
- Reply-to: cygwin at cygwin dot com
Greetings, Eliot Moss!
>>> I am not sure this particular program (CrashPlan) works that way.
>>
>> That's not program property, but the user you run the program from.
> Perhaps, but it runs as a background service. I never explicitly said what
> user it runs as, etc.
> Looking in Services, I see is logs on as "Local System account". Using
> Process Explorer, it appears to run without SEBackup/Restore privileges.
> Since the program has to request them itself as it runs, I don't see any
> good way to fix this.
Well, then, as Corinna said, the task isn't up to the job, if it doesn't
enable necessary privileges.
Either way, this is an offtopic.
>> I think i've explained it earlir, but here's it again:
>> In POSIX model, root have implicit permissions.
>> In Windows model, there NO implicit permissions at all. Everything should be
>> explicitly assigned. I.e. SeBackupRestore privilege.
>> If you deny SYSTEM access to a file, OS will not be able to do anything about
>> it. Been there, blocked changes to cmd.exe when I was experimenting with 4NT.
>> (And cmd.exe was in fact renamed 4nt.exe.) None of the Windows autotools were
>> able to get around it.
> Yes, I get that. Hence my desire to grant SYSTEM:rwx on everything.
That's one way to solve your issue, but not a correct way.
> What we seem to have ended up with here, though, is that the
> root privileges are explicit and are exposed in the ordinary permissions visible
> with, say, ls -l. This is not natural from a POSIX point of view (I claim);
> otherwise, we'd more or less show access of rwxrwxrwx on everything in POSIX.
> Now where this really makes a difference is when I am transferring files between my Windows
> system and other systems that are Unix-based, using git, rsync, and such tools.
> Either I remove SYSTEM access or the permissions get messed up.
That's one of the reasons why I think SYSTEM account privileges needs to be
hidden from POSIX access mask. It needs to be shown in getfacl to reduce
confusion, though, but otherwise there's no case, where hiding it could cause
any more harm, than showing it.
>>> Maybe what I am looking for is something like this:
>>
>>> - Certain Windows accounts/groups would be treated as 'root' for cygwin's
>>> purposes, perhaps controlled by a list in a file read when cygwin starts up.
>> The list would be very short. "NT AUTHORITY\SYSTEM".
> Ok -- I would be happy with that, rather than having g+rwx happening to every
> file because I am granting SYSTEM access.
> Do you begin to see the bind I feel myself in?
Do tell me? I'm perpetually caught in it.
--
With best regards,
Andrey Repin
Wednesday, April 1, 2015 03:47:24
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple