How to restrict cygwin's permissions in Windows 7

2

After an... ahem... incident involving an ill-judged rm -rf, it occurred to me that if you have administrator permissions on your Windows machine, working within a Cygwin terminal is the equivalent of using a root shell in Unix.

This can have unfortunate consequences, such as... accidentally wiping your entire filesystem with an ill-judged rm -rf.

So, my question is: while logged in from a Windows account with administrator permissions, how can I limit cygwin's permissions, in a manner analogous to running under a user account instead of root on Unix systems?

What I would like is to have write permission to my own files in the folders where I do my work, but get "Permission denied" errors whenever I (accidentally) write things in places I shouldn't be touching such as /cygdrive/c/Windows.

I have googled "cygwin permissions" and similar keywords, but only found people wanting to get more permission than cygwin is giving them.

Theres an article here about Windows security in Cygwin, but I can't understand it, probably because I don't understand Windows access control well enough...

Andrew Spencer

Posted 2013-03-06T14:29:14.183

Reputation: 123

Did you find a solution? – user – 2013-03-13T15:04:46.237

Not yet. I'll post it if I do. I'm thinking I should ask a general Windows question about how to limit the actions that a program can perform. – Andrew Spencer – 2013-03-14T10:09:13.180

Answers

2

If you turn on User Account Control (UAC) — see http://msdn.microsoft.com/en-us/library/windows/desktop/aa511445.aspx for details — then when you login as a user who is a member of the local group Administrators, you will not have write access to files under C:\Windows, even from a Cygwin Bash shell. You should see this:

$ cd /cygdrive/c/windows
$ touch xyzzy
touch: cannot touch `xyzzy': Permission denied

I cannot even delete files under C:\Windows. For example, I opened a Command Prompt elevated to Administrator, changed directory to C:\Windows, and typed copy system.ini xyzzy.ini. Now I see this in a Cygwin Bash shell (not elevated):

$ cd /cygdrive/c/windows
$ icacls xyzzy.ini
xyzzy.ini NT AUTHORITY\SYSTEM:(I)(F)
          BUILTIN\Administrators:(I)(F)
          BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files
$ rm xyzzy.ini
rm: remove write-protected regular file `xyzzy.ini'? y
rm: cannot remove `xyzzy.ini': Permission denied
$ rm -f xyzzy.ini
rm: cannot remove `xyzzy.ini': Permission denied

So even though I am a member of local group Administrators, I cannot delete files under C:\Windows.

Fran

Posted 2013-03-06T14:29:14.183

Reputation: 4 774

My problem is the reverse: when I try to build ArangoDB, it fails at several points because of insufficient permissions. Before the failing build step, I'm able to access the files, but can't after (not even outside cygwin shell with admin privileges!) but I have no clue why it revokes my rights. I need to takeown and icacls to reset permissions several times for thousands of files to make it work. Is there any way to prevent cygwin from changing or setting any permissions? – CodeManX – 2015-08-19T01:02:08.677

Thanks for this suggestion. This does indeed prevent me from deleting system files, which is better than no protection at all. However it doesn't stop me from deleting everything else on my hard drive or on all my networked drives. – Andrew Spencer – 2013-07-15T08:36:54.110

Asked: 2013-03-06T14:29:14.183

Viewed: 972 times

Active: 2013-07-08T15:27:20.710