Using native symlinks

Corinna Vinschen corinna-cygwin@cygwin.com
Wed May 29 08:47:00 GMT 2013


On May 28 22:23, Chris Sutcliffe wrote:
> On 28 May 2013 14:55, Corinna Vinschen wrote:
> > On May 28 14:16, Chris Sutcliffe wrote:
> >> What permissions do I need for native symlinks to work? According to
> >> edit rights I have SeCreateSymbolicLinkPrivilege (when checking via an
> >> elevated shell - i.e. with "Run as Administrator"):
> >>
> >> ┌─┤ csutclif@bmotec3017201lt ├──┤ ~ │
> >> └─┤ 14:11 ├─>> editrights -u $USER -l
> >> SeLockMemoryPrivilege
> >> SeCreateSymbolicLinkPrivilege
> >>
> >> However, if I try and create a native symlink it still fails.  If
> >> using the winsymlink:native option I get a "cygwin" symlink, winln
> >
> > That's "winsymlinks:native" I hope...
> 
> Correct, I mistyped.
> 
> >> pops up a message stating I need the SeCreateSymbolicLinkPrivilege.
> >> Not sure if it's relevant or not, but the $USER in this case is a
> >> domain user, not a local user.
> >
> > Are you sure it's an elevated shell?  `id -G' should contain 544.  Is
> > the filesystem NTFS?  Is it a local NTFS or a remote NTFS hosted by a
> > Vista-or-later OS?  If you set CYGWIN=winsymlink
> 
> It works fine if I create the native symlinks in an elevated shell,
> but does not if I create the native symlinks in a "normal" shell.  Is
> this expected (i.e. does creating native symlinks only work in
> elevated shells?).

Welcome to the wonderful world of native NTFS symlinks!!1!11!!

It's true and it works like this: Have a look into the "Local Security
Policy" MMC Snap-in.  In the left hand tree view navigate to
"Security Settings" -> "Local Policies" -> "User Rights Assignments".
On the right side look for "Create symbolic links".  You will see that
by default only members of the Administrators group are allowed to
create symlinks.

If you're running under an admin account in a non-elevated shell, your
token has been stripped by all Admin-only user rights, so you also have
no right to create symlinks.

To workaround that, you can either add yourself to the "Create symbolic
links" right, or you can add the "Users" group if you want to allow
every user to create symlinks.  But this requires changing it on all
machines manually, so alternatively you can create a domain policy which
adds the trusted users to this user right on all machines.

As if that isn't bad enough, there's another ugly surprise for the
uninitiated:

In an elevated shell, call fsutil like this:

  $ fsutil behavior query SymlinkEvaluation
  Local to local symbolic links are enabled.
  Local to remote symbolic links are enabled.
  Remote to local symbolic links are disabled.
  Remote to remote symbolic links are disabled.

See the word "disabled" for remote->local and remote->remote symlinks?
This means, by default the system will suppress the evaluation of
remote symlinks which point to a local filesystem, as well as the
evaluation of remote symlinks which point to a remote location.
In CMD you'd see an error "The symbolic link cannot be followed because
its type is disabled" aka STATUS_SYMLINK_CLASS_DISABLED.

On Windows 8, this even goes as far as affecting NFS symlinks!  If you
have a symlink to a directory, with symlinks underneath, resolving the
second level of symlinks fails with STATUS_NETWORK_OPEN_RESTRICTION if
remote->remote symlinks are disabled in fsutil.

Funny, right?  The workaround is `fsutil behavior set r2l:1 r2r:1'.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list