On May 30 09:28, Jeffrey Altman wrote: > On 5/30/2013 5:03 AM, Corinna Vinschen wrote: > > > On the other hand, in the same situation the UAC-crippled admins's token > > does not contain the "Create symbolic links" right: > > > > $ /cygdrive/c/Windows/System32/whoami /priv > > > > PRIVILEGES INFORMATION > > ---------------------- > > > > Privilege Name Description State > > ============================= ==================================== > > ======== > > SeShutdownPrivilege Shut down the system > > Disabled > > SeChangeNotifyPrivilege Bypass traverse checking Enabled > > SeUndockPrivilege Remove computer from docking station > > Disabled > > SeIncreaseWorkingSetPrivilege Increase a process working set > > Disabled > > SeTimeZonePrivilege Change the time zone > > Disabled > > > > I also changed the "Create symbolic links" policy so that the "Users" > > group is the only group getting this right. In other words, I removed > > the "Administrators" group entirely, logged off, logged on, and the > > result was the same as above. > > > > This is a bug in UAC if you ask me. It seems to remove privileges from > > the UAC-crippled admin's token based on a fixed internal list, totally > > ignorant of changes in the security policy. > > This is a design flaw but it is working as documented. Administrators have > SeCreateSymbolicLinkPrivilege by default so UAC removes it. What UAC > should > do in my opinion is not remove a static list of permissions but only > remove those permissions that are not granted to standard users.
ACK. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
