This is the mail archive of the
mailing list for the Cygwin project.
Re: [RFC] Globally creating a user and a group "root"
At 10:56 AM 11/12/2003 +0100, Corinna Vinschen wrote:
>On Tue, Nov 11, 2003 at 01:22:50PM -0500, Pierre A. Humblet wrote:
>> This indeterminacy might cause headaches during the transition period,
>> it's hard to foresee all ramifications.
>I'm running my system for at least a year with two group entries,
>root:S-1-5-32-544:0: and admin:S-1-5-32-544:544: and I never saw any
>negative influence. It's the same group from the Windows point of view
>so no problems from that side. It's basically just another name and gid
>for the same user.
Exim can be quite picky about permissions. If it expects 544 it won't be
happy with 0. But I will fix all that in the next release.
>> This being said, exim shouldn't care as long as 544 maps to S-1-5-32-544.
>> It autodetects if it is privileged and, if so, setgid(544) & setuid(18)
>> to normalize its environment (that was done with Windows 2003 in mind).
>I don't understand. You were the one who figured out the 2003 problem
>with the SYSTEM account. So, erm...
No sure what you mean. Recall that when we setuid(18) we use the privileges
that are defined for SYSTEM in security.cc, not those that MS assigns on 2003.
>> In summary, no problem (AFAICS) if 544 appears before 0. I need a decent
>> transition period before you reverse the order (affects only new
>> exim installs), and a long one before you get rid of 544 (affects existing
>IMHO we should not wait too long. At one point we must do it anyway
>and it's easy to make the transition for the user: just upgrade Cygwin
>and the affected packages. It's no step which actually destroys
>anything but it will help all 2003 users and also users of other systems
>since the new "root" account would circumvent any permission problems.
>If a new Windows requires new privileges to do the really interesting
>stuff, just add them to "root" and you're done. Knock on wood...
>Anyway, I think we should add "root/0" to /etc/group so that it comes
>before the "administrators/544" entry right from the beginning. What
>happens in an exim installation then?
Actually it works just fine, and both 544 and 0 appear in id.
Patting myself on the back :)
I have one extra comment: Cygwin introduces a number of security holes,
which I have started to plug. The fixes to the biggest ones
seem to be stalled, and there are still a number of other patches to come.
By introducing the root user on 2003 we are undoing positive steps taken by
We should warn the user of the current privilege escalation risk.