This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Shares with strange ACL settings


On Aug 13 18:33, Corinna Vinschen wrote:
> On Aug 12 20:59, Achim Gratz wrote:
> > Corinna Vinschen writes:
> > >> I think so, but there are likely some corner cases.  But I think that
> > >> had been proposed and shot down already, so I was trying to come up with
> > >> something less intrusive.
> > >
> > > This is relatively unintrusive.  The current user token is always
> > > available.  So if owner == current user, for every group in the file's
> > > ACL just check if it's in the current user token and, if so, add the
> > > perms of that group to the owner perms.
> > >
> > > Sounds pretty neat as an intermediate solution to me.
> > 
> > I'd play the guinea pig for that snapshotâ :-)
> 
> This puzzles me a bit.  As example you gave something like
> 
>   ----rwx---+ gratz Domain Users [...] foo
> 
> Given the code in recent Cygwin versions, this shouldn't happen if the
> user gratz is member of the Domain Users group.  The current code
> doesn't test all groups in the ACL, only the primary group, but that's
> sufficient in most cases.
> 
> So this could only happen if you modify the permissions of windows files
> using Cygwin tools and Cygwin helpfully gernerates a DENY ACE for the
> owner.
> 
> I'm just not exactly sure about the way to go to get these permissions
> in a non-artificial scenario.  But I can reproduce it like this:
> 
> - The file xxx has a primary group different from the group which has
>   permissions, e.g.:
> 
>     owner:  foo
>     pgroup: foo_group
> 
>     acl: 1 entry
>       bar_group: full control
> 
> - ls -l xxx
>   ----rwx---+ 1 foo foo_group 68565 Aug 10 10:37 xxx
> 
> - $ chmod g-w xxx
> 
> - Afterwards, the POSIX-like ACL looks like this:
>   $ icacls xxx
>   xxx foo:(DENY)(S,RD,REA,X)
>       foo:(D,Rc,WDAC,WO,RA,WA)
>       foo_group:(RX)
>       Everyone:(Rc,S,RA)
>       bar_group:(RX)

Oh, I get it.  This is *because* the current Cygwin doesn't check
membership of all groups in the ACL.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpBMf20bXIOP.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]