Issues with ACL settings after updating to the latest cygwin.dll

Corinna Vinschen corinna-cygwin@cygwin.com
Wed Feb 10 12:19:00 GMT 2016


On Feb 10 12:55, Corinna Vinschen wrote:
> On Feb  9 20:53, xnor wrote:
> > Here is what I would expect:
> > MyUser is in the group Administrators. Given the inherited permissions above
> > a Windows-created file should be shown as "-rwxrwxr--+ MyUser
> > Administrators"?
> 
> Sorry, can't do that, *unless* you make "Administrators" the primary
> group in your user token(*).  Even though your account is *member* of
> the Administrators group, the group is *never* your primary group per
> Windows.  All local accounts, independently of their group memberships,
> have the group "None" as their primary group.  That's how Windows works,
> and that hasn't changed since at least NT4.
> 
> Unless, of course, if you use a so-called "Windows account", one of
> those accounts which you login with using your email address (was that
> introduced with Windows 8?  I'm not sure).  In that case, the primary
> group in your user token is set to your user account itself.  So your
> primary group SID is your own user SID.  Duh!
> 
> 
> Corinna
> 
> (*) There *is* a way to do that, but only inside Cygwin, see
>     https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-passwdinfo

Oh, and if it's not clear how this works under the hood, it's like this:

The Windows user token contains a couple of SID entries:

- The "user" SID
- The "owner" SID       (user and owner are not necessarily the same,
                         but, never mind)
- The primary group SID (which, it has to be said, is meaningless
                         in the Windows context and only kept for
                         POSIX compatibility)
- A list of group SIDs the user is member in.

For a local account, the primary group SID is set to "None", the local
group with RID 513.  For domain accounts this is typically the group
"Domain Users", the domain account with RID 513 (hmm...)

However, every process is allowed to switch the primary group entry of
its user token to *any* group mentioned in the group list, *or* even to
its user or owner SID.  If you use the aforementioned method to change
the primary group, what happens is that the first Cygwin process in a
process chain changes the primary group in its user token.  If the new
group is in the token's group list, this will work.

Child processes inherit the user token from their parent process, so
there's no reason to change the primary group again in a process tree.
Since that's a Windows property, this also works for non-Cygwin child
processes.

With the Administrators group there's a complication.  If you're running
a normal shell, it's running under UAC control.  UAC restricts the user
token of an admin user so that the admins group in the token group list
is "crippled":  The admins SID is still in the list, but with a flag
"DENY ONLY".  You're kind of not in the Administrators group anymore.
Only if an access check is performed, and the Admins group is denied
access to some object, this membership kicks in and denies the access.


HTH,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20160210/bbfa9fd4/attachment.sig>


More information about the Cygwin mailing list