This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: How to deny directory-access for one dedicated user

Dave Korn wrote:

> Andy Koppe wrote:
>> 2009/10/13 Matthias Meyer:
>>> But nevertheless, user Backup can access the directory as well as the
>>> files
>> Does user "Backup" have Administrator privileges?
>   No, user "Backup User" has the "Backup/Restore" privilege.  These are
> well-known reserved names in the NT security architecture.
>   And in fact administrator privs don't get you access to any file you
>   like:
> as it happens, the reason why adminstrators in fact *can* access any file
> on the system, regardless of ACLs, is because they have _backup_
> privileges - it's the exact inverse of the question you asked!
>   This is one of those areas where the underlying windows OS architecture
> diverges significantly from how things work in POSIX land and Cygwin can't
> do
> all that much to fudge over it.  You can be uid 0 on windows and not be
> able to read a file when you want, or you can have uid non-zero and yet
> still get complete access to every file you like!
>     cheers,
>       DaveK

My user is called "backup". It is an own created user.
"backup" is member of the administrator group and have the following
additional privileges, defined by editrights:

Thanks jason for the cacls hint.
I tried "cacls C:\Test /E /D backup". /E is very importand ;-)
But as before, user "backup" can acccess the directory.

Also after removing of the administrator group from user "backup"
and re-login, "backup" can access C:\Test.

Administrator@hostxp /
$ cacls "C:\Test"
C:\Test HOSTXP\Backup4U:(OI)(CI)N
        VORDEFINIERT\Administratoren:(OI)(CI)F          # predefined\Administrator:...
        ERSTELLER-BESITZER:(OI)(CI)(IO)F                # creater-owner:...
        VORDEFINIERT\Benutzer:(OI)(CI)R                 # predefined\user:...
        VORDEFINIERT\Benutzer:(CI)(Beschrnkter Zugriff:)        # predefined\user:.(restricted access:)

        VORDEFINIERT\Benutzer:(CI)(Beschrnkter Zugriff:)

backup@hostxp ~
$ cacls "C:\Test"
Zugriff verweigert              #=access denied

backup@hostxp ~
$ ls -alh "C:\Test"
total 0
drwx------+  2 meyer           Kein   0 Oct 17 13:15 .
drwxrwxr-x+ 12 Administratoren SYSTEM 0 Oct 17 13:15 ..
-rwx------+  1 meyer           Kein   0 Oct 17 13:15 Neu Textdokument.txt

How to solve my goal?
The user "backup" should backup all data but not certain directories.

Don't Panic

PS: Sorry for the inconvenience with German.

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]