setup and ntsec
Pierre A. Humblet
Sat Jan 11 03:36:00 GMT 2003
I have studied complains on the list related to the interaction
of setup and ntsec, sometimes asking privately for details.
Here are the results of the investigation and some recommendations.
First some background:
1) ACLs of installed files are determined by the inheritance
properties of the directories. That's Windows tradition.
It allows the easy implementation of site specific policies.
If there is no inheritance, setup defaults to giving full rights
In all cases I have examined, the inheritance settings were
sane, i.e. all normal users had at least rx access.
However Everyone did not always appear in the ACLs. When it
didn't, Users did.
Mentioning this fact in http://www.cygwin.com/download.html would
make sense and allow users to set appropriate inheritable
permissions before running set (wishful thinking? :( )
2) Non privileged users are sometimes presented with the
Windows "Install As Other User" popup, asking for the Administrator
One user mentioned that the popup does not appear when setup.exe
I have never seen the popup on NT and don't have easy access to 2000 and
XP to experiment. All users I contacted thought that the popup was from
http://www.cygwin.com/download.html should recommend NOT TO accept
the offer and to install as oneself, except if this is not allowed
by the ACL inheritances or if one wants to install for everybody
If one accepts the invitation, one may not have write access to
various configuration files.
3) Often the permissions displayed by Cygwin are too narrow, although
the files are accessible. This happens due to a combination of several
factors and is one of the main reasons to run with nontsec.
a) "Everyone" not appearing in the inheritable ACLs.
b) The file group not appearing in the ACLs. "None" never appears.
c) The installing user (or creator-owner) not appearing in the ACL.
The file group in b) is determined by a default in the access token of
the process. It must be one of the groups of the user running setup.
Its value does not *change* the access rights but can greatly influence
the permissions *shown* by Cygwin.
In the next e-mail I include a patch to setup.exe that attempts to
change the group from None to Users or Administrators. In all
cases I have examined this would improve the displayed permissions.
4) A less important reason to run with nontsec is that files that
never need to be executed are executable (but this allows to start
an application, such as an editor, by clicking on the file icon).
The following command removes the execute permissions if it they
are shown as off with nontsec.
CYGWIN=nontsec find . ! -perm -111 -print0 | env -u CYGWIN xargs -0 chmod a-x
More information about the Cygwin-apps