This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-0.7


On Apr 22 20:35, Achim Gratz wrote:
> Corinna Vinschen writes:
> > Hmm.  Can you try the same with the latest developer snapshot I just
> > created?  I found this problem which created undesired DENY ACEs,
> > maybe this was the reason /knock on wood/.
> 
> I ran out of time, but I've managed to install the snapshot and did a
> quick test before going home.  The ACL looks saner than before and I can
> regain access via chmod, so that's good.  The basic problem however
> remains and I'm really not sure if that's a bug in rsync or in Cygwin or
> even a bug at all.
> 
> The file to be copied has, as stated before, access granted only via a
> share group (actually three of them, but that's not a factor).  So
> CREATOR OWNER, CREATOR group, the original owner of the file and myself
> (owner of the newly created file) have no DACL entry on the original
> file and the resulting file mode is "---rwx---+".  For "rsync -av" this
> means that after the copy the mode is set to 0060 and that explicitly
> locks out (via DENY) CREATOR OWNER CREATOR GROUP and myself.  That gives
> the same POSIX modes, but not the same access rights of course.  For
> "rsync -av --acls" the same happens and then some ACL are copied over
> from the original file, which still doesn't get me access since the
> DENY ACL is first in the list.
> 
> This might be a hole in the ACL mapping to POSIX file modes.  The way I
> see it the reported file mode should actually be "rwxrwx---+" for the
> original file since that's the effective access granted by Windows and
> there are no POSIX flags on the original file (via NULL SID).  Just like
> on POSIX (where it's done via mask) the user flags can only be cleared
> in this situation by an explicit chmod (which then gets implemented via
> DENY ACL I suppose).

You may be right here.  The problem is that we have two kinds of ACLs
to handle, the ones created by Windows means, and the ones created
by recent or older Cygwin versions.  It's rather bad that we can't
distinguish them.

But then, how do you check an arbitrary ACL for the effective rights
it creates for all affected parties?  I may be missing some API function.
but I don't see a Windows function generating some kind of effective
ACL.  There's only the function AccessCheck() which gets a token and an
ACL as input and then tells you the effective rights of the user with
this token.  This gets very slow and complicated, very quickly.

I hate to admit defeat, but it also seems that the method I used to
handle real vs. effective rights just doesn't work as desired.  In
theory we don't want the DENY ACEs having any effect before visiting the
ALLOW ACEs.

Ideally the DENY ACEs should only point out what the real access rights
are, and they should secure the access against the next group, along
the lines of

  NULL     DENY
  user1    ALLOW	# Only effective rights
  user2    ALLOW	# ...
  user1    DENY		# Point out real permissions, somehow
                          Secure against excess group permissions
  user2    DENY		# ...
  group1   ALLOW	# As above
  group2   ALLOW	# ...
  group1   DENY		# As above, secure against excess Everyone perms
  group2   DENY		# ...
  other    ALLOW

This needs yet another rewrite, but this will take a lot longer than
this first cut.  I guess we should create a new Cygwin release without
this new ACL handling change for now to get the bugfixes out.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpi8LxZof1h_.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]