bash - How to restrict cygwin's permissions in Windows 7

17
2014-04
  • Andrew Spencer

    After an... ahem... incident involving an ill-judged rm -rf, it occurred to me that if you have administrator permissions on your Windows machine, working within a Cygwin terminal is the equivalent of using a root shell in Unix.

    This can have unfortunate consequences, such as... accidentally wiping your entire filesystem with an ill-judged rm -rf.

    So, my question is: while logged in from a Windows account with administrator permissions, how can I limit cygwin's permissions, in a manner analogous to running under a user account instead of root on Unix systems?

    What I would like is to have write permission to my own files in the folders where I do my work, but get "Permission denied" errors whenever I (accidentally) write things in places I shouldn't be touching such as /cygdrive/c/Windows.

    I have googled "cygwin permissions" and similar keywords, but only found people wanting to get more permission than cygwin is giving them.

    Theres an article here about Windows security in Cygwin, but I can't understand it, probably because I don't understand Windows access control well enough...

  • Answers
  • Fran

    If you turn on User Account Control (UAC) — see http://msdn.microsoft.com/en-us/library/windows/desktop/aa511445.aspx for details — then when you login as a user who is a member of the local group Administrators, you will not have write access to files under C:\Windows, even from a Cygwin Bash shell. You should see this:

    $ cd /cygdrive/c/windows
    $ touch xyzzy
    touch: cannot touch `xyzzy': Permission denied
    

    I cannot even delete files under C:\Windows. For example, I opened a Command Prompt elevated to Administrator, changed directory to C:\Windows, and typed copy system.ini xyzzy.ini. Now I see this in a Cygwin Bash shell (not elevated):

    $ cd /cygdrive/c/windows
    $ icacls xyzzy.ini
    xyzzy.ini NT AUTHORITY\SYSTEM:(I)(F)
              BUILTIN\Administrators:(I)(F)
              BUILTIN\Users:(I)(RX)
    
    Successfully processed 1 files; Failed processing 0 files
    $ rm xyzzy.ini
    rm: remove write-protected regular file `xyzzy.ini'? y
    rm: cannot remove `xyzzy.ini': Permission denied
    $ rm -f xyzzy.ini
    rm: cannot remove `xyzzy.ini': Permission denied
    

    So even though I am a member of local group Administrators, I cannot delete files under C:\Windows.


  • Related Question

    How to copy and paste between cygwin's vi/emacs and windows clipboard?
  • prosseek

    I tried to paste what I copied in windows clipboard into cygwin's vi or emacs, and it doesn't seem to work with yy (vi) or M-w (emacs).

    Is there a way to do it? I learned that /etc/clipboard has the clipboard data from windows, but I don't know how to get this info in vi or emacs.


  • Related Answers
  • Phoshi

    At least for vim, the clipboard is the "* register.

    So, to yank the current line, go "*yy, to paste in the contents of the clipboard, go "*p, so on and so forth.

  • jahroy

    To paste from the clipboard using vi in Cygwin:

    Press SHIFT-INSERT in insert mode
    
    (this means the insert key by the Delete/Home/End keys)
    

    To copy to the clipboard using vi in Cygwin:

    When you select text with your mouse, it automatically gets copied to the clipboard.
    
    You can paste from the clipboard by pressing the middle mouse button.
    

    Also, in some environments where "*yy doesn't work, you can try "+yy.

    Unfortunately this does NOT work in Cygwin.

  • Forethinker

    There is a solution mentioned in Wikia:

    function! Putclip(type, ...) range
      let sel_save = &selection
      let &selection = "inclusive"
      let reg_save = @@
      if a:type == 'n'
        silent exe a:firstline . "," . a:lastline . "y"
      elseif a:type == 'c'
        silent exe a:1 . "," . a:2 . "y"
      else
        silent exe "normal! `<" . a:type . "`>y"
      endif
      call writefile(split(@@,"\n"), '/dev/clipboard')
      let &selection = sel_save
      let @@ = reg_save
    endfunction
    
    
    vnoremap <silent> <leader>y :call Putclip(visualmode(), 1)<CR>
    nnoremap <silent> <leader>y :call Putclip('n', 1)<CR>
    

    just copy these lines to .vimrc and your \y will do the trick, whether you are using vim or your mouse to select texts.
    This may not be a problem since you already have access to the clipboard, but /dev/clipboard is available for Cygwin version 1.7.13 and higher.