setup and ntsec

Pierre A. Humblet
Sat Jan 11 03:36:00 GMT 2003

I have studied complains on the list related to the interaction
of setup and ntsec, sometimes asking  privately for details.
Here are the results of the investigation and some recommendations.

First some background:
1) ACLs of installed files are determined by the inheritance 
properties of the directories. That's Windows tradition.
It allows the easy implementation of site specific policies.
If there is no inheritance, setup defaults to giving full rights
to Everyone.

In all cases I have examined, the inheritance settings were
sane, i.e. all normal users had at least rx access.
However Everyone did not always appear in the ACLs. When it
didn't, Users did. 

Mentioning this fact in would
make sense and allow users to set appropriate inheritable 
permissions before running set (wishful thinking? :( ) 

2) Non privileged users are sometimes presented with the 
Windows "Install As Other User" popup, asking for the Administrator
One user mentioned that the popup does not appear when setup.exe 
is renamed.
I have never seen the popup on NT and don't have easy access to 2000 and 
XP to experiment. All users I contacted thought that the popup was from 
setup itself. should recommend NOT TO accept
the offer and to install as oneself, except if this is not allowed
by the ACL inheritances or if one wants to install for everybody
(registry access).
If one accepts the invitation, one may not have write access to
various configuration files.

3) Often the permissions displayed by Cygwin are too narrow, although
the files are accessible. This happens due to a combination of several
factors and is one of the main reasons to run with nontsec.
a) "Everyone" not appearing in the inheritable ACLs.
b) The file group not appearing in the ACLs. "None" never appears.
c) The installing user (or creator-owner) not appearing in the ACL.

The file group in b) is determined by a default in the access token of
the process. It must be one of the groups of the user running setup.
Its value does not *change* the access rights but can greatly influence
the permissions *shown* by Cygwin.
In the next e-mail I include a patch to setup.exe that attempts to 
change the group from None to Users or Administrators. In all 
cases I have examined this would improve the displayed permissions. 

4) A less important reason to run with nontsec is that files that 
never need to be executed are executable (but this allows to start 
an application, such as an editor, by clicking on the file icon).
The following command removes the execute permissions if it they 
are shown as off with nontsec.

CYGWIN=nontsec find . ! -perm -111 -print0 | env -u CYGWIN xargs -0 chmod a-x


More information about the Cygwin-apps mailing list