This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: backup privileges [was: [ANNOUNCEMENT] Updated: cygwin-1.5.22-1]


On Nov 29 21:53, Eric Blake wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > - Always open files with backup/restore intent to emulate real "root"
> >   access.  Fix access(2) accordingly. (corinna)
> 
> This change has some interesting effects, and I think you did the right thing 
> by making access(2) reflect what open() is capable of.  But now both the 
> findutils and coreutils testsuites report failures, where before this patch 
> they were passing, when the testsuite is run by a user in the Administrators 
> group.  These failures are spurious, due to the fact that the testsuites are 
> making the (IMO unfounded) assumption that it should always be impossible to 
> read a file with mode 000.  The coreutils testsuite, at least, recognizes the 
> importance of checking in advance which tests of the testsuite must be skipped 
> when run by root/non-root entities due to the different semantics that 
> privileges outside of the ACL scheme can provide, but obviously did not catch 
> all the cases.  But it took me a while to realize that these were testsuite 
> bugs and not program bugs.

So the testsuites also fail when running on Linux under root?  Or do
they check for uid 0?

> But it does beg the question of whether it should be configurable whether a 
> user WANTS to use backup privileges to bypass ACLs.  It seems like cygwin is 
> very often installed by users that happen to have Administrator privileges, but 
> who don't know any better that they must be careful (in particular, think of 
> home users).  For the same reasons that you don't normally run as root on 
> Linux, even when you know the root password, you shouldn't normally be allowing 

Which gives us a lesson known for ages.  Don't run under admin
privileges, except you have to.  By allowing an admin user everything
which an admin user has the right to do, Cygwin is not different then
when running under root on Linux.

And, probably I'll get shot down for saying that, Cygwin is not intended
for users who don't know what they are doing.  There are other tools out
there which happen to serve that target audience well.

Btw., when running under Vista, a default shell for the administrator
will run under a reduced privilege set which does not contain backup and
restore rights.  That's exactly what you're asking for without having to
add another flag to Cygwin.  This does not help when you run the shell
with full privilege set of course, which is still quite easy to
accomplish.  So, for all OSes, even for Vista, the answer is what every
good doctor will tell you:  "Don't do that then."


Corinna


P.S.:  In good old "root"-user tradition, I'm about to check in a change
which also allows admin users to chdir into directories which have strict
permissions set.


-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]