This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: How to deny directory-access for one dedicated user

From: Paul McFerrin <pmcferrin at columbus dot rr dot com>
To: cygwin at cygwin dot com
Date: Sat, 17 Oct 2009 14:14:28 -0400
Subject: Re: How to deny directory-access for one dedicated user
References: <hb2bil$o3s$1@ger.gmane.org> <416096c60910131027g3df5021ei9b15ab5067353ce0@mail.gmail.com> <4AD4D5FB.4000906@gmail.com> <hbcd9m$l73$1@ger.gmane.org> <4AD9EB0E.80601@gmail.com>
Reply-to: pmcferrin at columbus dot rr dot com

I agree with Dave with trying to deny access to a particular user under cygwin. The support is not there. I will touch on an actual feature that provides this capability. Under Amdahl UTS Unix, e.g. SVR3 like, there was feature that relied on the proper implementation of the chroot(2) system call. You can give the restricted user his own login space and make available certain other filesystems mounted for the restricted to give him/her what they actually allowed to have access to, and no more. Login was modified to look for a "*" in the password field to signify a sub-login with the passwd home directory as the argument to execute the chroot(2) system call and thereby execute login again under the new chroot. In order for this to be effective, one must execute caution in setting up this painful and elaborate work in achieving the desired environment for the restricted user. Without a real chroot(2) syscall, it really can't be done.

Cygwin as it stands today can't provide a true restricted environment if it provides general access to hard (C:/pathnames/) drives. Unless the PC itself is restrictive (limited networking).

The above is my personal opinion on this subject and does not reflect management views.

Dave Korn wrote:

Matthias Meyer wrote:

How to solve my goal? The user "backup" should backup all data but not certain directories.

It cannot be done. Your two requirements amount to:

1- I want the backup user to be able to access all files and directories
without restriction.
2- I want the backup user to be restricted from accessing certain files and
directories.

  As a matter of plain logic, these requirements just cannot both be satisfied
simultaneously in the same universe!  There is no means to give the backup
user privileges to access only-some-but-not-all of the files that the ACLs say
it should not have access to, because it would essentially require an entire
second level of ACLs on every file in the system to keep track of which files
the backup privilege gave access to and which files it did not.

    cheers,
      DaveK


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

References:
- How to deny directory-access for one dedicated user
  - From: Matthias Meyer
- Re: How to deny directory-access for one dedicated user
  - From: Andy Koppe
- Re: How to deny directory-access for one dedicated user
  - From: Dave Korn
- Re: How to deny directory-access for one dedicated user
  - From: Matthias Meyer
- Re: How to deny directory-access for one dedicated user
  - From: Dave Korn

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]