How to deny directory-access for one dedicated user

Sat Oct 17 12:39:00 GMT 2009

Dave Korn wrote:
> Andy Koppe wrote:
>> 2009年10月13日 Matthias Meyer:
>>> But nevertheless, user Backup can access the directory as well as the
>>> files
>>>> Does user "Backup" have Administrator privileges?
>> No, user "Backup User" has the "Backup/Restore" privilege. These are
> well-known reserved names in the NT security architecture.
>> And in fact administrator privs don't get you access to any file you
> like:
> as it happens, the reason why adminstrators in fact *can* access any file
> on the system, regardless of ACLs, is because they have _backup_
> privileges - it's the exact inverse of the question you asked!
>> This is one of those areas where the underlying windows OS architecture
> diverges significantly from how things work in POSIX land and Cygwin can't
> do
> all that much to fudge over it. You can be uid 0 on windows and not be
> able to read a file when you want, or you can have uid non-zero and yet
> still get complete access to every file you like!
>> cheers,
> DaveK

My user is called "backup". It is an own created user.
"backup" is member of the administrator group and have the following
additional privileges, defined by editrights:
SeBackupPrivilege
SeRestorePrivilege
SeServiceLogonRight
Thanks jason for the cacls hint.
I tried "cacls C:\Test /E /D backup". /E is very importand ;-)
But as before, user "backup" can acccess the directory.
Also after removing of the administrator group from user "backup"
and re-login, "backup" can access C:\Test.
Administrator@hostxp /
$ cacls "C:\Test"
C:\Test HOSTXP\Backup4U:(OI)(CI)N
 VORDEFINIERT\Administratoren:(OI)(CI)F # predefined\Administrator:...
 NT-AUTORITT\SYSTEM:(OI)(CI)F
 HOSTXP\meyer:F
 ERSTELLER-BESITZER:(OI)(CI)(IO)F # creater-owner:...
 VORDEFINIERT\Benutzer:(OI)(CI)R # predefined\user:...
 VORDEFINIERT\Benutzer:(CI)(Beschrnkter Zugriff:) # predefined\user:.(restricted access:)
 FILE_APPEND_DATA
 VORDEFINIERT\Benutzer:(CI)(Beschrnkter Zugriff:)
 FILE_WRITE_DATA
backup@hostxp ~
$ cacls "C:\Test"
C:\Test
Zugriff verweigert #=access denied
backup@hostxp ~
$ ls -alh "C:\Test"
total 0
drwx------+ 2 meyer Kein 0 Oct 17 13:15 .
drwxrwxr-x+ 12 Administratoren SYSTEM 0 Oct 17 13:15 ..
-rwx------+ 1 meyer Kein 0 Oct 17 13:15 Neu Textdokument.txt
How to solve my goal?
The user "backup" should backup all data but not certain directories.
Thanks
Matthias
-- 
Don't Panic
PS: Sorry for the inconvenience with German.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple