This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Too Many Permissions Stripped In 1.7.35?
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Corinna Vinschen <cygwin at cygwin dot com>, cygwin at cygwin dot com
- Date: Fri, 27 Feb 2015 04:43:27 +0300
- Subject: Re: Too Many Permissions Stripped In 1.7.35?
- Authentication-results: sourceware.org; auth=none
- References: <CADi7v6JajieaQGq3N5LY2Ck2m7SiOTci6au5t7RL4gxZdvBgEw at mail dot gmail dot com> <87twy8cv4k dot fsf at Rainer dot invalid> <20150226202836 dot GB10024 at calimero dot vinschen dot de> <CADi7v6LLEhH9Dn3X3+W4Fk2=r7brDKuSHoJT3f7P31FX8523fg at mail dot gmail dot com> <20150226205736 dot GA10870 at calimero dot vinschen dot de> <CADi7v6+u=92JZUjJ85xwuELFDm7-O4i5+Js_aWVV=6F-wHxatQ at mail dot gmail dot com> <20150226222931 dot GA11124 at calimero dot vinschen dot de> <20150226225126 dot GE11124 at calimero dot vinschen dot de>
- Reply-to: cygwin at cygwin dot com
Greetings, Corinna Vinschen!
>> Having discussed this, I can understand that it may be desirable to
>> skip the permissions of the SYSTEM account in these circumstances:
>>
>> - Computing the POSIX ACL mask and default mask value and thus in
>> the permission mask as printed by `ls -l'.
SYSTEM is Windows equivalent of 'root' account. While in Linux root have
implicit rights, this is not true for Windows. You have to, either, explicitly
grant access rights for SYSTEM, or, again, explicitly grant SeBackup/Restore
privilege to relevant user.
Said that, SYSTEM account should be treated as implicit and ignored, unless
directly mentioned as file owner, as you suggested.
> Trying to be more exact:
> - Right now, the POSIX ACL mask value includes the permissions of the
> SYSTEM account, if it's in the ACL. The function collecting the ACL
> entries can easily skip adding the permissions of SYSTEM to the mask
> value. Thus, the mask value only reflects the permissions of all
> other users and groups, and so ls -l will not show rwx group perms
> only because SYSTEM has rwx perms. Example:
> Today:
> $ getfacl .ssh/authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: vinschen
> user::rw-
> group::---
> group:SYSTEM:rwx
> mask:rwx <= !!!!!
> other:---
> [~/.ssh](64)$ ls -l authorized_keys
> -rw-rwx---+ 1 corinna vinschen 1025 Jun 15 2014 authorized_keys
> ^^^
> !!!
> With the proposed change:
> # file: authorized_keys
> # owner: corinna
> # group: vinschen
> user::rw-
> group::---
> group:SYSTEM:rwx
> mask:--- <= !!!!!
> other:---
> [~/.ssh](64)$ ls -l authorized_keys
> -rw-------+ 1 corinna vinschen 1025 Jun 15 2014 authorized_keys
> ^^^
> !!!
>> - Changing SYSTEM permissions when calling chmod, unless SYSTEM is the
>> file's owning group.
> A chmod can easily skip the SYSTEM ACE when applying the group perms
> to all secondary users and groups in the ACL. So a SYSTEM rwx stays
> rwx. Unless, of course, SYSTEM is the owning group of the file.
> Example:
> Today:
> $ chmod 600 .ssh/authorized_keys
> $ getfacl .ssh/authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: vinschen
> user::rw-
> group::---
> group:SYSTEM:--- <= !!!!!
> mask:---
> other:---
> With the proposed change:
> $ chmod 600 .ssh/authorized_keys
> $ getfacl .ssh/authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: vinschen
> user::rw-
> group::---
> group:SYSTEM:rwx <= !!!!!
> mask:---
> other:---
>> Changing this in the code is pretty straightforward. but I'm not willing
>> to add another mount option for this behaviour. Either Cygwin ignores
>> SYSTEM in the aforementioned circumstances or it doesn't.
>>
>> Crucial vote starting... now.
--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 27.02.2015, <04:38>
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple