This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: More about permissions

Greetings, Eliot Moss!

 >>> I am not sure this particular program (CrashPlan) works that way.
>> That's not program property, but the user you run the program from.

> Perhaps, but it runs as a background service.  I never explicitly said what
> user it runs as, etc.

> Looking in Services, I see is logs on as "Local System account".  Using
> Process Explorer, it appears to run without SEBackup/Restore privileges.
> Since the program has to request them itself as it runs, I don't see any
> good way to fix this.

Well, then, as Corinna said, the task isn't up to the job, if it doesn't
enable necessary privileges.
Either way, this is an offtopic.

>> I think i've explained it earlir, but here's it again:
>> In POSIX model, root have implicit permissions.
>> In Windows model, there NO implicit permissions at all. Everything should be
>> explicitly assigned. I.e. SeBackupRestore privilege.
>> If you deny SYSTEM access to a file, OS will not be able to do anything about
>> it. Been there, blocked changes to cmd.exe when I was experimenting with 4NT.
>> (And cmd.exe was in fact renamed 4nt.exe.) None of the Windows autotools were
>> able to get around it.

> Yes, I get that.  Hence my desire to grant SYSTEM:rwx on everything.

That's one way to solve your issue, but not a correct way.

> What we seem to have ended up with here, though, is that the
> root privileges are explicit and are exposed in the ordinary permissions visible
> with, say, ls -l.  This is not natural from a POSIX point of view (I claim);
> otherwise, we'd more or less show access of rwxrwxrwx on everything in POSIX.

> Now where this really makes a difference is when I am transferring files between my Windows
> system and other systems that are Unix-based, using git, rsync, and such tools.
> Either I remove SYSTEM access or the permissions get messed up.

That's one of the reasons why I think SYSTEM account privileges needs to be
hidden from POSIX access mask. It needs to be shown in getfacl to reduce
confusion, though, but otherwise there's no case, where hiding it could cause
any more harm, than showing it.

>>> Maybe what I am looking for is something like this:
>>> - Certain Windows accounts/groups would be treated as 'root' for cygwin's
>>>     purposes, perhaps controlled by a list in a file read when cygwin starts up.

>> The list would be very short. "NT AUTHORITY\SYSTEM".

> Ok -- I would be happy with that, rather than having g+rwx happening to every
> file because I am granting SYSTEM access.

> Do you begin to see the bind I feel myself in?

Do tell me? I'm perpetually caught in it.

With best regards,
Andrey Repin
Wednesday, April 1, 2015 03:47:24

Sorry for my terrible english...

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]