Windows 10 Creators Update and Symlinks

Discussion:

Till Riedel

2017-04-23 09:26:41 UTC

Hi all,

I was really excited to hear this!

I tried to export CYGWIN="winsymlinks:nativestrict" and create symlink
without elevation and failed on cygwin 2.8.0 (checked that "cmd /C
mklink" works as expected in Windows 10 Creators Update Developer Mode).

Any ideas if there are any extra checks that lead to "Operation not
permitted"?

Windows seemingly even allows symlinks to nonexistent files (I somehow
think there was a problem with that in the past). For me personally this
would a strong reason to switch to real symlinks.

Best regards,

Till

When Developer mode is enabled the elevation requirement for symlink
https://blogs.windows.com/buildingapps/2016/12/02/symlinks-windows-10/#DXz6icKZOkEozgYR.97
This was necessary for symlink creation within WSL to work.

--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple

Brian Inglis

2017-04-23 15:21:06 UTC

Permalink

Post by Till Riedel

When Developer mode is enabled the elevation requirement for
https://blogs.windows.com/buildingapps/2016/12/02/symlinks-windows-10/#DXz6icKZOkEozgYR.97
This was necessary for symlink creation within WSL to work.

I was really excited to hear this!
I tried to export CYGWIN="winsymlinks:nativestrict" and create
symlink without elevation and failed on cygwin 2.8.0 (checked that
"cmd /C mklink" works as expected in Windows 10 Creators Update
Developer Mode).
Any ideas if there are any extra checks that lead to "Operation not
permitted"?
Windows seemingly even allows symlinks to nonexistent files (I
somehow think there was a problem with that in the past). For me
personally this would a strong reason to switch to real symlinks.

Artcile states:
CreateSymbolicLink
To enable the new behavior when using the CreateSymbolicLink API,
there is an additional dwFlags option you will need to set:

Value Meaning
SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
0x2 Specify this flag to allow creation of symbolic links when the
process is not elevated

So Cygwin patches are required to winsymlinks:native/strict handling
in winsup/w32api/include/winbase.h (which may be owned by mingw):

#define SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE 0x2

and in winsup/cygwin/path.cc(symlink_native) like:

/* Try to create native symlink. */
if (!CreateSymbolicLinkW (final_newpath->Buffer, final_oldpath->Buffer,
#ifdef SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE |
#endif
(win32_oldpath.isdir ()
? SYMBOLIC_LINK_FLAG_DIRECTORY : 0)))

but may need W10 build 14972 checks, and any privilege checks disabled.

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple

Corinna Vinschen

2017-04-24 09:09:30 UTC

Permalink

Post by Brian Inglis

Post by Till Riedel

CreateSymbolicLink
To enable the new behavior when using the CreateSymbolicLink API,
Value Meaning
SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
0x2 Specify this flag to allow creation of symbolic links when the
process is not elevated
So Cygwin patches are required to winsymlinks:native/strict handling
#define SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE 0x2
/* Try to create native symlink. */
if (!CreateSymbolicLinkW (final_newpath->Buffer, final_oldpath->Buffer,
#ifdef SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE |
#endif
(win32_oldpath.isdir ()
? SYMBOLIC_LINK_FLAG_DIRECTORY : 0)))
but may need W10 build 14972 checks, and any privilege checks disabled.

Unfortunately the flag can't be used blindly because older versions of
Windows will return ERROR_INVALID_PARAMETER when adding this flag, so we
definitely need a version check.

I'm also running an Enterprise edition of W10 which didn't get the
Creator's update yet and the "Update Assistant" doesn't support the
Enterprise edition either.

I'm also going offline for all of May, so this might take a bit.

Corinna

--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat

Corinna Vinschen

2017-04-24 16:09:39 UTC

Permalink

Post by Corinna Vinschen

Post by Brian Inglis

Post by Till Riedel
I was really excited to hear this!
I tried to export CYGWIN="winsymlinks:nativestrict" and create
symlink without elevation and failed on cygwin 2.8.0 (checked that
"cmd /C mklink" works as expected in Windows 10 Creators Update
Developer Mode).
Any ideas if there are any extra checks that lead to "Operation not
permitted"?
Windows seemingly even allows symlinks to nonexistent files (I
somehow think there was a problem with that in the past). For me
personally this would a strong reason to switch to real symlinks.

[...]
if (!CreateSymbolicLinkW (final_newpath->Buffer, final_oldpath->Buffer,
#ifdef SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE
SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE |
#endif
(win32_oldpath.isdir ()
? SYMBOLIC_LINK_FLAG_DIRECTORY : 0)))
[...]

Unfortunately the flag can't be used blindly because older versions of
Windows will return ERROR_INVALID_PARAMETER when adding this flag, so we
definitely need a version check.
I'm also running an Enterprise edition of W10 which didn't get the
Creator's update yet and the "Update Assistant" doesn't support the
Enterprise edition either.
I'm also going offline for all of May, so this might take a bit.

Having said that, I just added code to handle this new flag(*) and
uploaded new developer snapshots to https://cygwin.com/snapshots/

Please test. What I'm especially interested in is this:

Assuming you're running W10 1703, and further assuming you did NOT
activate the developers option. Running this in a non-elevated
shell:

$ export CYGWIN="winsymlinks:nativestrict"
$ ln -s foo bar

should always fail then, just like on previous versions of Windows.

The question is this: What error do you get? "Permission denied" or
"Invalid argument"?

Thanks,
Corinna

--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat

David Macek

2017-04-24 16:52:36 UTC

Permalink

ver

Microsoft Windows [Version 10.0.15063]

$ uname -a
CYGWIN_NT-10.0 mew 2.8.1(0.310/5/3) x86_64 Cygwin

=== Developer mode DISabled, non-elevated Administrators account

echo > foo
mklink bar foo

You do not have sufficient privilege to perform this operation.

$ export CYGWIN="winsymlinks:nativestrict"
$ touch foo
$ ln -s foo bar
ln: failed to create symbolic link 'bar': Operation not permitted

=== Developer mode ENabled, non-elevated Administrators account

$ export CYGWIN="winsymlinks:nativestrict"
$ touch foo
$ ln -s foo bar
$ rm bar

echo > foo
mklink bar foo

symbolic link created for bar <<===>> foo

del bar

--
David Macek

Corinna Vinschen

2017-04-24 17:07:08 UTC

Permalink

Post by David Macek

ver

Microsoft Windows [Version 10.0.15063]
$ uname -a
CYGWIN_NT-10.0 mew 2.8.1(0.310/5/3) x86_64 Cygwin
=== Developer mode DISabled, non-elevated Administrators account

echo > foo
mklink bar foo

EPERM? That's fine, actually.

Thanks!

Corinna

--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat