This is the mail archive of the cygwin@sources.redhat.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: CVS permissions problem with network drive


Corinna Vinschen wrote:

> > > So: In order to access a CVS repository on an SMB share exported by
> > > an NT host, the user's account on the host must have the
> > > SeRestorePrivilege right.  However, this is dangerous:
> >
> > This is bull.  Ignore.
> 
> No, this isn't bull! You are right. You only did it the half way.
> 
> If _both_ accounts (your local account and the remote account used
> for the SMB connection) have the SeRestorePrivilge user right everything
> works as expected.

Confirmed.

> 
> Thanks for the hint, Chuck.
> 
> However, giving this permission remains dangerous for the reasons you
> explained in your previous mail. So the correct way in terms of NT
> security is still using domains and domain accounts.

Well, in my case, the 'correct way' is not possible -- I don't have a
domain or domain controller.  Just a W2K machine and an NT Workstation,
both members of the same Workgroup.

So, there are three possibilities:

1) Use domains and domain user accounts
2) turn off ntsec
3) add 'SeRestorePrivilege' to both the client machine user account and
the host machine user account.  This is dangerous because it basically
eliminates all file security on both machines, as far as that user is
concerned.  And, this extends to NON-cygwin programs run by that user.  

If #1 is not possible, then #2 is better than #3 (what's the point of
maintaining the *form* of ntsec when it has no *function*?  #3 vitiates
all file security anyway, so why bother with ntsec?)  If you set
nontsec, you lose unixish file security for cygwin programs but at least
you keep the Windows security intact (such as it is).

Unfortunately, both #2 and #3 affect behavior both locally and on file
shares.  It would be nice if ntsec behaved 'nontsec'-like when accessing
shares when the user accounts involved are not domain accounts.  That
way, I could continue to use ntsec for most stuff (local file access)
but share access 'just works' with less strict file security.  Does that
describe the 'extra checks' you said you needed to add, Corinna?

--Chuck

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]