This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: /usr/local, /var and */tmp in c:\Users\Public

From: Shaddy Baddah <lithium-cygwin at shaddybaddah dot name>
To: cygwin at cygwin dot com
Date: Fri, 14 Nov 2014 11:56:24 +1100
Subject: Re: /usr/local, /var and */tmp in c:\Users\Public
Authentication-results: sourceware.org; auth=none
References: <81578012-FD3F-4463-BC56-ADB092317DD4 at etr-usa dot com> <CABa6CEkRV=3FY6ZVGrdt--rH3PppwCJRD5poU0L2knv2k2ce_w at mail dot gmail dot com> <25F385A9-3E2D-44FC-998F-D2672F67DFE4 at etr-usa dot com> <m40npq$vrq$1 at ger dot gmane dot org> <ECD073FF-B78C-4D19-8DE1-5F4E390D2495 at etr-usa dot com> <20141113093335 dot GI2782 at calimero dot vinschen dot de> <40005E53-A327-4E4A-8C71-514E505F9FBC at etr-usa dot com> <20141113213005 dot GV2782 at calimero dot vinschen dot de>

Hi,

On 14/11/14 08:30, Corinna Vinschen wrote:

On Nov 13 14:09, Warren Young wrote:

On Nov 13, 2014, at 2:33 AM, Corinna Vinschen <corinna-cygwin@cygwin.com> wrote:

On Nov 12 17:19, Warren Young wrote:


Iâm not advocating that step so early, but maybe if this breakup does
happen, a few years later setup.exe can start applying some strong
ACLs to files it writes.


??? What "strong" ACLs?


The ones that are not there right now. :)

Just to pick a random example:

$ ls -l /bin/ls.exe
-rwxrwxr-x 1 Warren None 116253 Oct 13 10:12 /bin/ls.exe

The same fileâs permissions, from Windowsâ perspective:

http://etr-usa.com/cygwin/ls-perms.png


icacls output would be more helpful than a picture.

However, this isn't really a problem.  The group permissions are
apparently faked by Cygwin, they don't reflect the reality.  I just
don't remember why this is done, it's probably old.  Have to check...

So, just because I installed Cygwin with my regular user account, I
get permission to rewrite ls.exe.  This is not a good thing, if our
goal is to make Cygwin work like Linux while working *within* the
Windows environment.

IMHO, the way to meet both goals simultaneously is to put programs in
c:\Program Files,


No, sorry, but no.  We're certainly not going to turn everything upside
down installation-wise.  If you want Cygwin installed into Program
Files, just change it in the GUI.

and to give full-control perms to the local
Administrator account in the SAM case, or possibly the domain one in
the AD case.


BTDT.  The code is still in Setup, just doesn't run anymore.  The idea
was to install with user and group set to Administator/ Administrators,
but we had some complaints and the code got deactivated.  We can
reactivate the Administrators group, but that still requires to run
Setup elevated.  It doesn't work when running under a non-admin account.

However, the *other* idea is that if you install with an elevated Setup,
your account is an admin account anyway.  Ideally when you install
Cygwin for multiple users, you're using an account you're not using for
daily usage.


If you read back through some of my emails to this list, you'll see that
this is exactly the setup I adopted some time back. It is also why I
contributed the -B switch to setup.

What the OP is asking for has always been available. And it is
analogous with Unix.

What I do is:

1) create a non-admin user named portapps.
2) cmd
3) runas /user:portapps cmd
4) as portapps, run c:\Program Files\7zip\7zFM to give me a graphical
   way to navigate the filesystem and create folders.
5) Create a folder c:\Users\Public\portapps.
6) Adjust the permissions on that folder so that inheritance from
   c:\Users\Public is broken, and inherited permissions with portapps
   FullControl and Everyone read/execute (I'm talking Windows perms
   here).
7) Now I run setup-x86(_64) -B still as portapps from cmd, install to
   c:\User\Public\portapps\cygwin.
8) That's it. Now my regular user can run
   c:\User\Public\portapps\cygwin\bin\mintty - and cannot accidentally
   overwrite /bin, /etc or anything like that. All software
   administration (install, /etc config) is done via portapps user.
9) This is no different to unix/linux, where you'd have to do
   sudo apt-get install, or sudo yum install, or sudo vi /etc/profile
   etc.... portapps is almost equal to root.
10) If you want to do Windows privileged stuff, you'll have to run
   those in an elevated mintty. Of course there is still the danger of
   overwriting /bin there. But if you are limiting doing that to just
   things like ssh-host-config etc, than it's fine. Also best to have
   a separate admin account to your account if possible.

--
Regards,
Shaddy


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

References:
- /usr/local, /var and */tmp in c:\Users\Public
  - From: Warren Young
- Re: /usr/local, /var and */tmp in c:\Users\Public
  - From: cyg Simple
- Re: /usr/local, /var and */tmp in c:\Users\Public
  - From: Warren Young
- Re: /usr/local, /var and */tmp in c:\Users\Public
  - From: Andrew DeFaria
- Re: /usr/local, /var and */tmp in c:\Users\Public
  - From: Warren Young
- Re: /usr/local, /var and */tmp in c:\Users\Public
  - From: Corinna Vinschen
- Re: /usr/local, /var and */tmp in c:\Users\Public
  - From: Warren Young
- Re: /usr/local, /var and */tmp in c:\Users\Public
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]