This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: AllVersions: Running Cygwin X w/ Registy Entries


Brian Dessent wrote:
Chris Taylor wrote:


When I say editing the registry, I'm talking about the ability to
directly manipulate it with .reg files, regedit, or other registry
editing tools.


You can block access to certain known tools like regedit.  This does
*nothing* to block access to the registry itself, except for amateur
users that think regedit is the only way to access the registry.

You can, as per your next paragraph.



Registry keys are full NT objects each with their own ACL, and so if you *really* want to prevent someone from being able to edit the registry, this is the *only* way. And doing so breaks lots of programs that expect to be able to store their settings in HKCU. I suppose you could allow specific write access to those keys that known programs need to access, and deny everything else. But that would be an enormous amount of work, and by the time you're done you'd have granted access to a large portion of HKCU.

Yes, though most programs will silently fail if they can't save their settings. Most don't actually require you to have access of certain levels to function, at least that are commonly used in a corporate environment. Ideally you should have - perhaps restricted to the software key though, and with the Windows section read only.




The point here is that regedit is only *one* way of arbitrarily manipulating the registry, and a user that knows what he's doing will *always* be able to get around this. Disabling regedit is *not* a form of security, unless you define security as "keeping out casual users but nothing else."

Indeed. Hence the ACLs.




Yes, you are able to make changes to HKCU, but not *directly*.


echo "1" > /proc/registry/HKEY_CURRENT_USER/Software/Foobar

Oh look, I just edited the registry directly. Okay, so you don't allow
Cygwin. So I compile a C program that takes a key+value on the command
line and calls RegSetValueEx(). Oh, so you disallow that filename or
checksum. So I make a different C program and call it something else. There are an infinite number of programs that I can write and it's
impossible to block them all. The point here is that there is no such
thing as "blocking direct access" while still "letting some programs
write to the registry." Either it's writeable or it's not. If it is,
then the user can make arbitrary changes. There's no middle ground.

Yes, but it isn't black and white either. As we all agree, you have the joy of acl's, which complicates matters.
Then you also have the option of purging all current user registry files on logoff.. Letting them make changes to aspects at runtime, but losing them all at the end of the session.
Myself, I feel this is the best compromise.




Your method is flawed and destroys the existing setup, which is bad.
I disable ALL aspects of regedit and other tools, and I know I'm not
alone in this. It's perfectly normal and *common* to do it.


You can disable every piece of software that has ever existed in the
known universe, and I will still be able to make arbitrary registry
changes if I want -- provided that the desired HKCU key is writeable.


The (l)user should *never* be allowed to edit the registry themselves.
That's a recipe for disaster.


If you think it is possible to block "direct" editing of the registry
while still allowing HKCU to be writeable, then you are clearly mistaken
at how windows security works.

This is why you have application allow lists. Admittedly this also isn't foolproof, but it does make it more difficult.




Using a command that alters the registry as part of it's function, but
does not allow the user to directly alter it is a very different
ballgame. mount would be permissable. Some console app to directly edit
the registry would not be.


There is absolutely no way for a sysadmin to block one and not the
other.

Brian


Oh, I agree, but Thorsten was under the impression that regedit /s would work when regedit itself was disabled - this is blatantly not the case.


Aside from that.. The whole concept of security on windows is a bit of a farce.. A compromise is the best you're ever likely to manage.

Anyway.. I think this got rather off-topic :P

--

Spinning complacently in the darkness, covered and blinded by a blanket
of little lives, false security has lulled the madness of this world
into a slumber. Wake up! An eye is upon you, staring straight down and
keenly through, seeing all that you are and everything that you will
never be. Yes, an eye is upon you, an eye ready to blink. So face
forward, with arms wide open and mind reeling. Your future has
arrived... Are you ready to go?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]