Untangling security - W2K on NT domain

Steve Jorgensen jorgens@coho.net
Sat Jul 21 23:06:00 GMT 2001


More detail on this issue.

System/network:
	Windows 2000 workstation
	Member of NT domain (server is NT 4.0)

Cygwin security settings:
	Nothing changed after normal install.
	$CYGWIN contains "binmode tty ntsec"

User for install/tests:
	Member of "Domain Users" on domain.
	Member of "<localmachine>\Administrators".

Directory/file permissions after install (setup.exe):
	Domain group "Everyone" has full permission to everything.
	Allow inheritable permissions... enabled on everything.

Permissions of folder created from Cygwin bash using mkdir:
	Owner is "<localmachine>\Administrator"
	"<localmachine>\Administrator" has full permission
	"Everyone" has all permissions except "Full Control"
	-- "<localmachine>\None" has all permissions except "Full Control" (?1) --
	Allow inheritable permissions... disabled.

Permissions of folder created during tar -xvzf ... into existing folder 
made by setup.exe:
	Owner is "<localmachine>\Administrator"
	"<localmachine>\Administrator" has full permission
	-- "Everyone" has only read, list, and execute, no write (?2) --
	"<localmachine>\None" has all permissions except "Full Control"
	Allow inheritable permissions... disabled.

Permissions of folder created during tar -xvzf ... into folder created by 
mkdir from Cygwin (?3):
	Owner is "<localmachine>\Administrator"
	"<localmachine>\Administrator" has full permission
	"Everyone" has all permissions except "Full Control"
	"<localmachine>None" has all permissions except "Full Control"
	Allow inheritable permissions... disabled.


Questions/issues:

(?1)
According to 
http://sources.redhat.com/cygwin/cygwin-ug-net/ntsec.html#NTSEC-FILES , the 
None group should only appear when installing on a workgroup system, not a 
domain member.  Should be "Domain Users", not "None".

(?2)
Untar fails badly because, after it creates a directory, is has 
insufficient permission to add files to it.  To delete or modify these 
directories, I have to first take ownership because, though I'm a member of 
"<machine>\Administrators", I'm not "<machine>\Administrator"

(?3)
OK, so untar will at least function if extract is into a directory I 
created using mkdir, but this doesn't help if I have to untar from /.  I 
suppose it would work right if I first manually changed all the directory 
permissions to something like what I get when I create a directory with 
mkdir.  I'm not sure the best way to do this, and I'm not sure if I'd want 
to since everything isn't looking like it's supposed to in the first place.
I suppose if I do want to keep using "None", I would use chmod on 
everything to change the permissions to something that nominally works.

Can anyone help my untangle this knot?

On Saturday, July 21, 2001 2:25 AM, Steve Jorgensen [SMTP:jorgens@coho.net] 
wrote:
> Scenario:
>
> Installed on a Windows 2K workstation and member of an NT 4 domain.
>
> Using an account on the domain added to Administrators group on
> workstation, but merely a regular user on the domain.
>
>
> Problem:
>
> In the groups file, 513 is "None".  I thought that was only supposed to
> happen on a workgroup system.
>
> Untarring files with tar -xvzf fails miserably (as same user as described 
> above).  Permissions are set wrong on new directories, and extract fails 
on
> files destined for those directories because of inadequate permissions.
>
> It would seem that I need to fix my /etc/passwd and/or /etc/group files,
> but I don't understand them well enough to know what to do.  What do I 
need
> to do here
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list