This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: .rhosts on W2K w/o ntsec

From: Christian Mueller <Christian_Mueller at csgsystems dot com>
To: cygwin at cygwin dot com
Date: Tue, 19 Nov 2002 22:59:50 +0100
Subject: Re: .rhosts on W2K w/o ntsec

Thanks again for your help!

> What do you mean "setting new userids"? It is safe to turn ntsec
> off in the /etc/profile or ~/.bash_profile sourced by the login
> shell. Of course the login shell itself will still have ntsec on,
> so it needs to reexec itself after turning ntsec off.

I was thinking of daemons such as inetd, sshd, etc. setting new user IDs (contexts, whatever) after the login as such has succeeded. I didn't have the time so far to look up how Cygwin handles this case, thus my concerns about inheriting the CYGWIN envionment variable.

Given your question, I take it that Cygwin will pass the CYGWIN variable to all sub-processes regardless whether or not the user ID has changed. This would rule-out my biggest concern regarding different CYGWIN variable settings for inetd clients and local logins.

>> Another problem would be that other services which don't
>> start shells such as the IPC daemon, apache, etc. would end
>> up using ntsec.

> Not sure if that's really a problem. At any rate that can be
> controlled with the -e argument of cygrunsrv, but I don't know
> what will happen in each case.

The problem with this (regardless of the -e option in cygrunsrv) is that the environment being active for the service (e.g. "CYGWIN=ntsec") cannot be changed at a later time unless the service starts some shell-like process which will execute something like /etc/profile. In other words, the service will execute with "ntsec" being active and there's no way to turn it off.

>> Wouldn't it be a good idea to store uid and gid in the extended
>> attributes as well and use them if ntsec is turned off? At least
>> for me this would be the perfect solution....

> They are, of course, but Cygwin does not report them when ntsec is
> off. Changing that behavior would probably hurt other users. Asking
> for a special "cmueller" field to CYGWIN is unlikely to yield a
> positive reply.

Hmpff! I'm not asking for any special treatment for myself. If that was the case, I would take the source and implement whatever I think would be useful instead of going to the public cygwin mailing list....

Having said that, I agree that it's probably dangerous to simply change the current behaviour (i.e. UIDs and GIDs are stored in EAs but not used unless "ntsec" is turned on as well). However, it would be possible to safely change this behaviour based on a new token (e.g. ntea_uid or whatever).

> I have reread your original e-mail and I don't fully understand
> why nontsec helps you. The reasons you give are not compelling.
> Even with nontsec, the files you create are not owned by
> Administrators.

Actually, they *are* owned by Administrators *if* they are created by Windows apps. As soon as a Windows user is part of the Administrators group, all files created by this user will automatically be owned by the Administrators group (again, I'm talking about Windows apps here, not Cygwin apps).

I had problems in the past (around 1 year ago) with files created by JBuilder5 from Borland -- I had ntsec turned-on at this time and ran into problems when I committed the resulting files with cvs (Cygwin) because the source files were owned by "Administrators" and had stupid permissions (something like 0777).

I thought quite a while about a solution for my dilemma and ended up using "ntea nontsec" because this is the only way how I can share Cygwin directories with Windows applications without ending up changing file permissions each time Windows programs have updated/created some files.

> Also, the directories created by Cygwin with ntsec do have
> inheritance turned on. In fact that inheritance determines the
> ACL of files created by Cygwin when ntsec is off, and also the
> ACL created by most Windows applications. Incidentally you
> can display these "stupid permissions" with getfacl and change
> them with setfacl, so you could add Administrators if needed.

Hmmm.... it seems as if you mis-interpreted (is this a word?) my problem: The permissions set by Cygwin with "ntsec" are absolutely OK. I'm having problems with permissions set by *native* Windows programs when they create files in my Cygwin home directory....

> Is your group Administrators? If not, wouldn't it help to change
> it to that?

Yes, it is.

Pierre

--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/

Follow-Ups:
- Re: .rhosts on W2K w/o ntsec
  - From: Christian Mueller

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]