This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: ntsec, passwd, and group issues again


On Wed, Aug 01, 2001 at 04:40:34PM -0700, Steve Jorgensen wrote:
> OK, this time, I've read the manual, and I thought I understood exactly 
> what ntsec is supposed to do with file permissions and ownership and how 
> the /etc/passwd and /etc/group files are used.  I started experimenting, 
> and find that I'm obviously still somewhat confused.

The below description is probably because you have the "propagate
inheritable permissions to this object" set on nearly everything
on the box. That's the default behaviour on NT/W2K and Cygwin
unfortunately sets permissions so that they are inherited to
subfolder and files as well up to 1.3.2.

This results (as in your case) in a colorful mess of permissions
some of them explicitely set on the object by Cygwin and some of
them inherited from parent directories.

The next Cygwin version will not set inheritence for permissions
but it can't switch that off automatically for already existing
directory trees.

The problem is the complexity of the NTFS permissions. It's not
easy to understand them and all their effects especially if you
only can learn it by the do-it-yourself way.

Corinna

> The good news is, now I can function.  I can run tar -xvzf <package>, and I 
> don't end up with permission errors trying to extract files into the newly 
> created directories.  I still don't understand the permissions that are 
> applied to created files and directories, however.
> 
> There is a domain user called SJDeveloper1 who is a member of domain group 
> SJDevelopers.  I set up the passwd and group files so SJDeveloper1 has 
> SJDevelopers as primary group.  If I run Cygwin bash as this user, echo aaa 
> > aaa, and check the permissions in Explorer (yes, I know/understand not to 
> click OK afterward), I see that SJDeveloper1 is the owner, but permission 
> entries exist only for Administrator, Everyone, and None.  Shouldn't there  
>  be an entry for SJDeveloper1's default group, SJDevelopers?
> 
> Next, from the Cygwin bash prompt:
> 
> 	$ find -printf "%f %g %u\n"
> 	. SJDevelopers SJDeveloper1
> 	aaa SJDevelopers SJDeveloper1
> 
> OK, that looks like it should, though I'm not sure how it's determining 
> what group to report.
> 
> Next, from the Cygwin bash prompt:
> 
> 	$ chmod -w aaa
> 	chmod: changing permissions of `aaa': Permission denied
> 
> What?  I thought I owned the file - can't I do anything I want with 
> permissions?
> 
> OK, try working as user sjwkstnadmin - member of Administrators on local 
> machine (and Domain Users).  sjwkstnadmin is set up in /etc/passwd to have 
> local Administrators group as default.
> 
> When I do the echo aaa > aaa and check permissions in Explorer, I see 
> something plausibly right, though some points I don't get.  I see 
> sjwkstnadmin is the owner, and I see permission settings for...
> 
> <machine>/wkstnadmin (good - I didn't see permissions for self as 
> SJDeveloper1)
> <machine>\Administrator (not sure why, but no problem)
> <machine>\Administrators (good - default group for user)
> Everyone (good)
> <machine>\None (I thought this wasn't supposed to happen on domain with 
> proper passwd & group, but shouldn't matter, right?).
> 
> Now try...
> 
> 	$ find -printf "%f %g %u\n"
> 	. Administrators sjwkstnadmin
> 	aaa Administrators sjwkstnadmin
> 
> Looks good
> 
> $ chmod -w aaa
> 
> 	sjwkstnadmin@SJDEV01 ~
> 	$ ls -l
> 	total 1
> 	-r--r--r--    1 sjwkstna Administ        4 Aug  1 16:16 aaa
> 
> All OK.
> Now, look at permissions in Explorer again.  All looks OK except 
> <machine>\Administrator retains full control (why?), and <machine>\None 
> retains write permission (OK, I guess since not usable).
> 
> Below are copies of my /etc/passwd and /etc/group file contents if needed:
> 
> /etc/passwd
> ------------------
> Everyone:*:100:100:,S-1-1-0::
> SYSTEM:*:18:18:,S-1-5-18::
> Administrators:*:1:0:,S-1-5-32-544::
> Administrator::10500:10512:,S-1-5-21-455485110-1572165696-1819828000-500  
> :/home/Administrator:/bin/bash
> Guest::10501:10514:,S-1-5-21-455485110-1572165696-1819828000-501:/home/G  
> uest:/bin/bash
> NewSystem::11011:10513:New 
> System,S-1-5-21-455485110-1572165696-1819828000-1011:/home/NewSystem:/bi  
> n/bash
> SJDeveloper1::11008:11009:Steve Jorgensen (at 
> home),S-1-5-21-455485110-1572165696-1819828000-1008:/home/SJDeveloper1:/  
> bin/bash
> SJNTDomainAdmin::11005:10512:SJNT Domain 
> Admin,S-1-5-21-455485110-1572165696-1819828000-1005:/home/SJNTDomainAdmi  
> n:/bin/bash
> sjwkstnadmin::11020:0:Workstation 
> Administrator,S-1-5-21-455485110-1572165696-1819828000-1020:/home/sjwkst  
> nadmin:/bin/bash
> SQLAgentCmdExec::11015:10513:SQLAgentCmdExec,S-1-5-21-455485110-15721656  
> 96-1819828000-1015:/cygdrive/c:/bin/bash
> SQLExecutiveCmdExec::11006:10513:SQLExecutiveCmdExec,S-1-5-21-455485110-  
> 1572165696-1819828000-1006:/cygdrive/c:/bin/bash
> SteveJVPN::11014:10513:SteveJVPN,S-1-5-21-455485110-1572165696-181982800  
> 0-1014:/home/SteveJVPN:/bin/bash
> Yraina::11010:10513:Yraina Chantres,S-1-5-21-455485110-1572165696-181982  
> 8000-1010:/home/Yraina:/bin/bash
> LocAdministrator::0:0:,S-1-5-21-1993962763-113007714-1202660629-500:/hom  
> e/LocAdministrator:/bin/bash
> LocGuest::501:546:,S-1-5-21-1993962763-113007714-1202660629-501:/home/Lo  
> cGuest:/bin/bash
> 
> /etc/group
> ------------------
> Everyone:S-1-1-0:100:
> SYSTEM:S-1-5-18:18:
> DomainAdmins:S-1-5-21-455485110-1572165696-1819828000-512:10512:
> DomainGuests:S-1-5-21-455485110-1572165696-1819828000-514:10514:
> DomainUsers:S-1-5-21-455485110-1572165696-1819828000-513:10513:
> SJDevelopers:S-1-5-21-455485110-1572165696-1819828000-1009:11009:
> Administrators:S-1-5-32-544:0:
> BackupOperators:S-1-5-32-551:551:
> Guests:S-1-5-32-546:546:
> PowerUsers:S-1-5-32-547:547:
> Replicator:S-1-5-32-552:552:
> Users:S-1-5-32-545:545:
> 
> 
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]