Recent security improvements breaks proftpd
Pierre A. Humblet
Pierre.Humblet@ieee.org
Thu Sep 18 23:35:00 GMT 2003
At 09:07 AM 9/18/2003 -0400, Jason Tishler wrote:
>Pierre,
>
>The following change breaks proftpd:
>
> http://cygwin.com/ml/cygwin-cvs/2003-q3/msg00237.html
>
>By "breaks", I mean the following failure occurs when a user attempts
>to authenticate:
>
> C:\Cygwin\usr\sbin\proftpd.exe: *** CreateFileMapping, Win32 error 5.
Terminating.
Jason,
That's a good one, Microsoft biting back. Here is my current
hypothesis.
A feature of MS is that when you are in the Administrators group,
the default DACL for newly created objects is Administrators +
System, instead of yourself + System for normal users.
The mount table shared is now created with "sec_none", which uses
the default above.
When you (being in Administrators, but with gid 10513) sign in
through proftp, your supplementary groups (including Admins) are
stripped by setgroups(0, NULL). Consequently you loose access to
your own mount table.
So the root cause is old and not related to recent changes.
sec_none is used a lot in Cygwin. It should either be redefined
to include the user, or the default DACL in the process access
token should be set to something sensible when starting Cygwin.
I will come up with a long term solution.
Pierre
More information about the Cygwin-developers
mailing list