This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: rsh: "Permission denied" on file creation. Cygwin 1.3.3 on W2K Adv Srv SP2.


Corinna Vinschen wrote:
> 
> Ouch! Where did you get that information?  SYSTEM is exactly
> _the_ privileged user account which has all rights neccessary
> for an operating system.  It's the real "root" account for NT
> in contrast to the Administrators which are not allowed to do
> everything (e.g. user context switches).
> 
> The only restriction SYSTEM suffers from is, it has no access
> to network shares which require authentication... which makes
> sense.

Some of this may be caused by what I said in another e-mail.  Let
me write out what my understanding of the SYSTEM account and you
can correct me.

1) NT services need to have access to certain internal security
attributes, such as "Act as Part of Operating system", "Create 
a token object" and "Replace a Token object."  System has these
rights and more and is intended to be used for local NT services.

2) SYSTEM does not have rights to any other machine; it is strictly
a local account.  This means that it cannot use drive shares (even
if they are public shares).

3) SYSTEM does not have rights, by itself, to any files on the local
machine that are not public.  In other words, files owned by a
specific user are not accessable to SYSTEM.  However, an NT service
run under the SYSTEM account can impersonate any other local user
account, if written that way, so the SYSTEM account can access local
files in that fashion.

Consequently, although SYSTEM is the usual account that is used by
NT to run services, it is not strictly equivalent to root under *nix,
since it does not have rights to everything.  However, through the 
use of user impersonation, SYSTEM can act as any user and is in that
way very similar to "su username" under *nix.

Some Cygwin programs that can be run as services under NT will not
work properly under SYSTEM, since they have not been written to 
impersonate users.

Is that any clearer?

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]