How to deny directory-access for one dedicated user

Paul McFerrin pmcferrin@columbus.rr.com
Sat Oct 17 18:14:00 GMT 2009 

I agree with Dave with trying to deny access to a particular user under 
cygwin.  The support is not there.  I will touch on an actual feature 
that provides this capability.
Under Amdahl UTS Unix, e.g. SVR3 like, there was feature that relied on 
the proper implementation of the chroot(2) system call.  You can give 
the restricted user his own login space and make available certain other 
filesystems mounted for the restricted to give him/her what they 
actually  allowed to have access to, and no more.  Login was modified to 
look for a "*" in the password field to signify a sub-login with the 
passwd home directory as the argument to execute the chroot(2) system 
call and thereby execute login again under the new chroot.
In order for this to be effective, one must execute caution in setting 
up this painful and elaborate work in achieving the desired environment 
for the restricted user.  Without a real chroot(2) syscall, it really 
can't be done.

Cygwin as it stands today can't provide a true restricted environment if 
it provides general access to hard (C:/pathnames/) drives.  Unless the 
PC itself is restrictive (limited networking).

The above is my personal opinion on this subject and does not reflect  
management views.

Dave Korn wrote:
> Matthias Meyer wrote:
>
>   
>> How to solve my goal?
>> The user "backup" should backup all data but not certain directories.
>>     
>
>   It cannot be done.  Your two requirements amount to:
>
> 1- I want the backup user to be able to access all files and directories
> without restriction.
> 2- I want the backup user to be restricted from accessing certain files and
> directories.
>
>   As a matter of plain logic, these requirements just cannot both be satisfied
> simultaneously in the same universe!  There is no means to give the backup
> user privileges to access only-some-but-not-all of the files that the ACLs say
> it should not have access to, because it would essentially require an entire
> second level of ACLs on every file in the system to keep track of which files
> the backup privilege gave access to and which files it did not.
>
>     cheers,
>       DaveK
>
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>
>   

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list