This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Admin can read user file from bash, despite permissions


Corinna Vinschen wrote:
On Apr 10 04:19, Gmane User wrote:
I have a power user file that has go-rwx.  However, the administrator
account can "less" the contents from a bash command line.  This is
both logging onto Windows 2000 as admin, as well as ssh'ing in
(loopback) from the power user log-in session.  The administrator can
also "mv" the file to a different name, but it can't create a new file
in the same folder e.g. by "cp".

CACLS shows an extensive set of permissions for the power user owner,
but only READ_CONTROL, FILE_READ_EA, & FILE_READ_ATTRIBUTES for
LaptopName\None and Everyone.  I've come across nothing on the web
(yet) about a special privilege that allows administrators the level
of access that it seems to have.  In fact, if I just open up a DOS
shell as Administrator, I cannot "more" the said file.  So it seems to
be specific to Cygwin rather than Windows.
[...]
what is the explanation?

The secret word for tonight is "Privileges". See http://msdn2.microsoft.com/en-us/library/bb530716(vs.85).aspx

Administrators have the SE_BACKUP_NAME privilege by default.  Cygwin
opens the files with the FILE_FLAG_BACKUP_SEMANTICS flag set, see
http://msdn2.microsoft.com/en-us/library/aa363858.aspx So, all accounts
with the backup privilege (usually admins and backup operators) can open
all files.  That's the same as with the "root" user on UNIX.

It does not work with the standard Windows tools, because these tools
don't open files with FILE_FLAG_BACKUP_SEMANTICS.  Sort of an
obfuscation, if you ask me.

cp doesn't work because the current release of Cygwin doesn't use
the FILE_FLAG_BACKUP_SEMANTICS flag in every necessary place so far.

Thank you, Corinna. That was very informative.


BTW, I found this site to be invaluable for those ramping up:
http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAPrivilege.html

Cheers!


-- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]