Admin can read user file from bash, despite permissions
Gmane User
fma@doe.carleton.ca
Thu Apr 10 15:25:00 GMT 2008
Corinna Vinschen wrote:
> On Apr 10 04:19, Gmane User wrote:
>> I have a power user file that has go-rwx. However, the administrator
>> account can "less" the contents from a bash command line. This is
>> both logging onto Windows 2000 as admin, as well as ssh'ing in
>> (loopback) from the power user log-in session. The administrator can
>> also "mv" the file to a different name, but it can't create a new file
>> in the same folder e.g. by "cp".
>>
>> CACLS shows an extensive set of permissions for the power user owner,
>> but only READ_CONTROL, FILE_READ_EA, & FILE_READ_ATTRIBUTES for
>> LaptopName\None and Everyone. I've come across nothing on the web
>> (yet) about a special privilege that allows administrators the level
>> of access that it seems to have. In fact, if I just open up a DOS
>> shell as Administrator, I cannot "more" the said file. So it seems to
>> be specific to Cygwin rather than Windows.
>> [...]
>> what is the explanation?
>
> The secret word for tonight is "Privileges". See
> http://msdn2.microsoft.com/en-us/library/bb530716(vs.85).aspx
>
> Administrators have the SE_BACKUP_NAME privilege by default. Cygwin
> opens the files with the FILE_FLAG_BACKUP_SEMANTICS flag set, see
> http://msdn2.microsoft.com/en-us/library/aa363858.aspx So, all accounts
> with the backup privilege (usually admins and backup operators) can open
> all files. That's the same as with the "root" user on UNIX.
>
> It does not work with the standard Windows tools, because these tools
> don't open files with FILE_FLAG_BACKUP_SEMANTICS. Sort of an
> obfuscation, if you ask me.
>
> cp doesn't work because the current release of Cygwin doesn't use
> the FILE_FLAG_BACKUP_SEMANTICS flag in every necessary place so far.
Thank you, Corinna. That was very informative.
BTW, I found this site to be invaluable for those ramping up:
http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAPrivilege.html
Cheers!
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
More information about the Cygwin
mailing list