This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: group permissions


On Feb 10 11:48, Achim Gratz wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > Here's the problem:  Windows doesn't support an ACL_MASK entry, nor
> > anything even remotely resembling it.
> 
> Right.  And pretending that it does is doing more harm than good, IMHO.
> 
> > o The other way to emulate writing an ACL_MASK entry would be to drop
> >   permissions from all groups and secondary users so they match the
> >   desired mask value.  This is secure, but in contrast to the other
> >   solution it would change the secondary permissions permanently.
> >   Changing the mask back would not change the permissions of the
> >   secondary ACL entries back.
> 
> Please note that that the typical user in a corporate environment has no
> rights to do this on network shares and even if (s)he did, it would quite
> often break things for other users and is certain to draw the ire of the
> share administrators just as if you'd do the same thing via WIndows' own
> tools.  So please do not do this by default, there are just too many scripts
> that blindly use some chmod somewhere.
> 
> > o Cygwin could emulate the mask by adding an Access-denied ACE for the
> >   authenticated user SID (S-1-5-11) right after the primary group entry.
> >   The permission in this ACE are the x'or value of the permissions
> >   given in the mask.  Such an ACL would basically look like this:
> 
> Same issue as above, except it would be more easily reversible.

The permissions to change the ACL are not overly relevant here.  The
reason is, if the user has no permissions to write the DACL, it won't be
able to chmod anyway.  So, whatever we do to implement ACL_MASK, it's ok
even in a corp env, because the user apparently has the right to change
the DACL and thus it doesn't matter.

> If anybody feels really strongly about these issues, they can always mount
> "noacl".  We'll just have to live with how Windows implements ACL otherwise.

True.  Noacl mounts are the way to go in case of what you describe,
having no perms to write the DACL, even if the files are owned by
the user.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgp0e27DbwcpO.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]