This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: .rhosts on W2K w/o ntsec

On Mon, Nov 18, 2002 at 10:50:43AM +0100, Christian Mueller wrote:
> Unless, of course, I turn ntsec off again as soon as ruserok() has 
> completed. The only way to do this would be in /etc/profile. Is this 
> safe, i.e. will Cygwin see the environment changing and turn off ntsec 
> for *all* subsequent syscalls and processes, even after forking, 
> setting new userids, ....?
What do you mean "setting new userids"? It is safe to turn ntsec off in
the /etc/profile or ~/.bash_profile sourced by the login shell. Of course 
the login shell itself will still have ntsec on, so it needs to reexec 
itself after turning ntsec off.
> Another problem would be that other services which don't start shells 
> such as the IPC daemon, apache, etc. would end up using ntsec.
Not sure if that's really a problem. At any rate that can be controlled with
the -e argument of cygrunsrv, but I don't know what will happen in each case.
> Wouldn't it be a good idea to store uid and gid in the extended 
> attributes as well and use them if ntsec is turned off? At least for 
> me this would be the perfect solution....
They are, of course, but Cygwin does not report them when ntsec is off.
Changing that behavior would probably hurt other users. Asking for a special
"cmueller" field to CYGWIN is unlikely to yield a positive reply.

I have reread your original e-mail and I don't fully understand why nontsec helps
you. The reasons you give are not compelling. Even with nontsec, the files you 
create are not owned by Administrators. Also, the directories created by Cygwin 
with ntsec do have inheritance turned on. In fact that inheritance determines the 
ACL of files created by Cygwin when ntsec is off, and also the ACL created by most 
Windows applications. Incidentally you can display these "stupid permissions" with
getfacl and change them with setfacl, so you could add Administrators if needed.
Is your group Administrators? If not, wouldn't it help to change it to that?


Unsubscribe info:
Bug reporting:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]