This is the mail archive of the
mailing list for the cygwin project.
RE: Wich privileges required by ssh-host-config running user?
- From: "Dave Korn" <dave dot korn at artimi dot com>
- To: "'cygwin-bork at cygwin dot com'" <cygwin-talk at cygwin dot com>
- Date: Wed, 18 Jan 2006 18:42:45 -0000
- Subject: RE: Wich privileges required by ssh-host-config running user?
- Reply-to: The Cygwin-Talk Malingering List <cygwin-talk at cygwin dot com>
Brian Dessent wrote:
[OT so thread properly TITTTL'd]
> Power Users are administrators who simply have not made themselves
> administrators yet.
Well, yes, absolutely. Anyone who can install a device driver can make
themselves admins. (Anyone who can install a device driver can do _anything_
to the OS).
> You cannot remove the ACLs on the file system, or even the registry, and
> prevent that. Power Users are ingrained in the operating system, and
> they have sufficient privileges to escalate to an administrator fairly
> easily. You cannot use Power Users to contain untrusted users. It is
> only meant to keep well meaning users from hurting themselves and the
> operating system accidentally.
TBH, I find it hard to understand how anyone could make this
misinterpretation in the first place. The very term "*Power* users" implies
danger if mishandled, just like "power tools", at least to my way of thinking.
It very clearly indicates a user who *IS* trusted, so why anyone would think
it was about "containing untrusted users" is beyond me.
> Nevertheless, many organizations have
> policies to attempt to limit Power Users by performing blanket DACL
> replacement. The same types of policies are commonly found to replace
> the Everyone group with Authenticated Users or Domain Users, which we
> cover below. Unfortunately, attempts to perform blanket DACL replacement
> often have disastrous effects. "
In fact, it's not really true to say that "power users are ingrained in the
OS". Membership of the power users group, like every other group, implies a
certain set of rights and privileges, and the list of privs for each group is
specified in local or domain policies. (There's nothing to stop you giving
Guest every kind of right under the sun including "Act as part of the
operating system" or taking rights away from the power users or even the
Administrators group to leave them as-much-as- or even-more-than- hobbled than
Can't think of a witty .sigline today....