Recent security improvements breaks proftpd

Pierre A. Humblet
Thu Sep 18 23:35:00 GMT 2003

At 09:07 AM 9/18/2003 -0400, Jason Tishler wrote:
>The following change breaks proftpd:
>By "breaks", I mean the following failure occurs when a user attempts
>to authenticate:
>    C:\Cygwin\usr\sbin\proftpd.exe: *** CreateFileMapping, Win32 error 5.


That's a good one, Microsoft biting back. Here is my current 

A feature of MS is that when you are in the Administrators group,
the default DACL for newly created objects is Administrators +
System, instead of yourself + System for normal users.

The mount table shared is now created with "sec_none", which uses
the default above.

When you (being in Administrators, but with gid 10513) sign in
through proftp, your supplementary groups (including Admins) are 
stripped by setgroups(0, NULL). Consequently you loose access to
your own mount table.

So the root cause is old and not related to recent changes. 
sec_none is used a lot in Cygwin. It should either be redefined 
to include the user, or the default DACL in the process access
token should be set to something sensible when starting Cygwin.
I will come up with a long term solution.


More information about the Cygwin-developers mailing list