* ntsec.sgml: Add Pierre's Windows 2003 text.

4 files changed, 30 insertions, 12 deletions

diff --git a/winsup/doc/ChangeLog b/winsup/doc/ChangeLog
index 45c62348b..77b27f4eb 100644
--- a/winsup/doc/ChangeLog
+++ b/winsup/doc/ChangeLog
@@ -1,3 +1,8 @@
+2005-01-29  Joshua Daniel Franklin  <joshuadfranklin@yahoo.com>
+
+	* install.texinfo: Update setup.exe snapshot URL.
+	* ntsec.sgml: Add Pierre's Windows 2003 text.
+
 2005-01-28  Corinna Vinschen  <corinna@vinschen.de>
 
 	* how-using.texinfo: Change text about using shortcuts.
diff --git a/winsup/doc/Makefile.in b/winsup/doc/Makefile.in
index 87a72d107..45a0a4046 100644
--- a/winsup/doc/Makefile.in
+++ b/winsup/doc/Makefile.in
@@ -50,6 +50,7 @@ install:	all
 cygwin-ug-net.html : cygwin-ug-net.sgml doctool
 	-xmlto html-nochunks -m $(srcdir)/cygwin.dsl $<
 	-cp cygwin-ug-net.html cygwin-ug-net/cygwin-ug-net-nochunks.html
+	-rm -f cygwin-ug-net/cygwin-ug-net-nochunks.html.gz
 	-gzip cygwin-ug-net/cygwin-ug-net-nochunks.html
 
 cygwin-ug-net/cygwin-ug-net.html : cygwin-ug-net.sgml doctool
diff --git a/winsup/doc/install.texinfo b/winsup/doc/install.texinfo
index 49e88f2b4..10bbe469c 100644
--- a/winsup/doc/install.texinfo
+++ b/winsup/doc/install.texinfo
@@ -13,7 +13,7 @@ that the GUI installer is a "work in progress", so there might be a few
 difficulties, especially if you are behind a firewall or have other
 specific requirements.  If something doesn't work right for you, and
 it's not covered here or in the latest development snapshot at
-@file{http://cygwin.com/setup-snapshots/}, then by all means report it to the
+@file{http://cygwin.com/setup/}, then by all means report it to the
 mailing list.
 
 For a searchable list of packages that can be installed with Cygwin,
diff --git a/winsup/doc/ntsec.sgml b/winsup/doc/ntsec.sgml
index c366fd21f..4859feb48 100644
--- a/winsup/doc/ntsec.sgml
+++ b/winsup/doc/ntsec.sgml
@@ -737,21 +737,33 @@ etc.
 Context</title>
 
 <para>
-Since Cygwin release 1.3.3, applications having the
-<command>Create a process level token</command> user right can switch user
+Since Cygwin release 1.3.3, applications that are members of the
+Administrators group and have the <command>Create a token
+object</command>, <command>Replace a process level token</command> and
+<command>Increase Quota</command> user rights can switch user
 context without giving a password by just calling the usual
 <command>setuid</command>, <command>seteuid</command>,
-<command>setgid</command> and <command>setegid</command> functions.  This is
-typically only given to the SYSTEM user. However, this now allows to switch
-the user context using e. g. rhosts authentication or (when running sshd
-under SYSTEM account as service) public key authentication.
+<command>setgid</command> and <command>setegid</command> functions.  
 </para>
 <para>
-An important restriction of this method is that a process started under
-SYSTEM account can't access network shares which require authentication.
-This also applies to the subprocesses which switched the user context 
-without a password.  People using network home drives are typically not
-able to access it when trying to login using ssh or rsh without password.
+On NT and Windows 2000 the <systemitem
+class="username">SYSTEM</systemitem> user has these privileges and can
+run services such as <command>sshd</command>. However, on Windows 2003
+<systemitem class="username">SYSTEM</systemitem> lacks the
+<command>Create a token object</command> right, so it is necessary to
+create a special user with all the necessary rights, as
+well as <command>Logon as a service</command>, to run such services.
+For security reasons this user should be denied the rights to logon
+interactively or over the network. All this is done by configuration
+scripts such as <command>ssh-host-config</command>.
+</para>
+<para>
+An important restriction of this method is that a process started
+without a password cannot access network shares which require
+authentication.  This also applies to subprocesses which switched user
+context without a password.  Therefore, when using
+<command>ssh</command> or <command>rsh</command> without a password, it
+is typically not possible to access network drives.
 </para>
 
 </sect2>