From 003303a43587449ced9b1aefa4188e3976b7bcfe Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Thu, 26 Oct 2000 08:01:39 +0000 Subject: [PATCH] * ntsec.sgml: Slight changes. Fix some errors. --- winsup/doc/ChangeLog | 4 ++++ winsup/doc/ntsec.sgml | 23 ++++++++++++----------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/winsup/doc/ChangeLog b/winsup/doc/ChangeLog index 55820487c..65d1f70bb 100644 --- a/winsup/doc/ChangeLog +++ b/winsup/doc/ChangeLog @@ -1,3 +1,7 @@ +Thu Oct 26 10:00:00 2000 Corinna Vinschen + + * ntsec.sgml: Slight changes. Fix some errors. + Thu Oct 26 9:35:00 2000 Corinna Vinschen * ntsec.sgml: Changed the (now incorrect) hint that ntsec only diff --git a/winsup/doc/ntsec.sgml b/winsup/doc/ntsec.sgml index 72d54c65c..1741b8046 100644 --- a/winsup/doc/ntsec.sgml +++ b/winsup/doc/ntsec.sgml @@ -133,7 +133,7 @@ set to Cygwin version 1.1.0. Later versions use `access denied ACEs' as well to reflect the UNIX permissions as good as possible. -The possible permissions on objects are more complicated than in +The possible permissions on objects are more detailed than in UNIX. For example, the permission to delete an object is different from the write permission. @@ -145,8 +145,9 @@ The ntsec patch tries to do this in cygwin. You ask "Mostly? Why mostly???" Because there's a leak in the NT model. I will describe that in detail in chapter 4. -The creation of explicit object security is a bit complicated, so -typically only two simple variations are used: + +Creating explicit object security is not that easy so you will often +see only two simple variations in use: default permissions, computed by the operating system @@ -155,10 +156,10 @@ typically only two simple variations are used: For parameters to functions that create or open securable objects another data structure is used, the `security attributes' (SA). This structure -contains an SD and a flag, that specifies whether the returned handle -to the created or opened object is inherited to child processes or not. -This property is not important for the ntsec patch description, so in -this document SDs and SAs are more or less identical. +contains an SD and a flag that specifies whether the returned handle +to the object is inherited to child processes or not. +This property is not important for the ntsec patch description so in +this document the difference between SDs and SAs is ignored. @@ -315,7 +316,7 @@ and in the gr_passwd field in /etc/group. ntsec works better in domain environments. Accounts (users and groups) may get another name in -cygwin that their NT account name. The name in /etc/passwd +cygwin than their NT account name. The name in /etc/passwd or /etc/group is transparently used by cygwin applications (eg. chown, chmod, ls): @@ -332,8 +333,8 @@ adminstrator::500:513::/home/root:/bin/sh Caution: If you like to use the account as login account via telnet etc. you have to remain the name unchanged or -you have to use a special version of login which will -be part of the release 1.1 soon. +you have to use the special version of login which is +part of the standard Cygwin distribution since 1.1. Cygwin UIDs and GIDs are now not necessarily the RID part of the NT SID: @@ -408,7 +409,7 @@ group membership of the caller. The order of ACEs is important. The system reads them in sequence until either any needed right is denied or all needed rights are granted. Later ACEs are then not taken into account. -ALl access denied ACEs _should_ precede any +All access denied ACEs _should_ precede any access allowed ACE.