This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Using native symlinks
- From: Jeffrey Altman <jaltman at openafs dot org>
- To: cygwin at cygwin dot com
- Date: Thu, 30 May 2013 09:28:24 -0400
- Subject: Re: Using native symlinks
- References: <CAGHJv4ftSKS6wR-Uzd9Gfvowqpn-WCQ0U01NexgCpZaYqd-Tow at mail dot gmail dot com> <20130528185553 dot GA31309 at calimero dot vinschen dot de> <CAGHJv4fkvRt1gQfNTarHGUQWvdRxRsy=oAA=pjUQTLQFoNoW-g at mail dot gmail dot com> <20130529083910 dot GD31309 at calimero dot vinschen dot de> <CAGHJv4cUbx_sMCwUgzTd3ZaXVgbfgPt1Fs7pOO4UtwZhFFj-uA at mail dot gmail dot com> <20130529152339 dot GB4471 at calimero dot vinschen dot de> <CAGHJv4cKU_vHa7KddQ5dK_3dkj792A8X5Ps9njS_gBNEFWz63Q at mail dot gmail dot com> <20130529170147 dot GG4471 at calimero dot vinschen dot de> <CAGHJv4cms9Cg=VA0bFsqK_MvY1fhYbgQA2iOWRKxA=O0Z1FL1A at mail dot gmail dot com> <20130530090326 dot GJ4471 at calimero dot vinschen dot de>
- Reply-to: jaltman at openafs dot org
On 5/30/2013 5:03 AM, Corinna Vinschen wrote:
> On the other hand, in the same situation the UAC-crippled admins's token
> does not contain the "Create symbolic links" right:
>
> $ /cygdrive/c/Windows/System32/whoami /priv
>
> PRIVILEGES INFORMATION
> ----------------------
>
> Privilege Name Description State
> ============================= ==================================== ========
> SeShutdownPrivilege Shut down the system Disabled
> SeChangeNotifyPrivilege Bypass traverse checking Enabled
> SeUndockPrivilege Remove computer from docking station Disabled
> SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
> SeTimeZonePrivilege Change the time zone Disabled
>
> I also changed the "Create symbolic links" policy so that the "Users"
> group is the only group getting this right. In other words, I removed
> the "Administrators" group entirely, logged off, logged on, and the
> result was the same as above.
>
> This is a bug in UAC if you ask me. It seems to remove privileges from
> the UAC-crippled admin's token based on a fixed internal list, totally
> ignorant of changes in the security policy.
This is a design flaw but it is working as documented. Administrators have
SeCreateSymbolicLinkPrivilege by default so UAC removes it. What UAC
should
do in my opinion is not remove a static list of permissions but only
remove those permissions that are not granted to standard users.
If your organization is a user of native symlinks and you have a support
agreement with Microsoft, I recommend filing a support request to have
this behavior changed.
Jeffrey Altman
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple