This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[TESTERS needed] New POSIX permission handling


Hi folks,


I just applied a patch I'm working on for quite some time now.  As I
outlined before on this list, the POSIX permission handling has aged
considerably and, for historical reasons, did things differently
dependent on the calling function.  I took the time to reimplement the
core functionality to handle all ACLs as strictly following POSIX ACL
rules as possible.

Cygwin now generates ACLs in a certain way, always following the same
construction rules.  The new ACLs are always recognizable as Cygwin
ACLs.  The always start with an Access-Denied ACE for the NULL SID with
certain bits set.  Any ACL not starting this way is handled as a
non-Cygwin or "old style" ACL, but still trying to evaluate the ACL as
strictly following POSIX rules as possible.

Two other noticable changes from before:

- To accommodate Windows default ACLs, the new code ignores SYSTEM and
  Administrators group permissions when computing the MASK/CLASS_OBJ
  permission mask on old ACLs, and it doesn't deny access to SYSTEM and
  Administrators group based on the value of MASK/CLASS_OBJ when
  creating the new ACLs.

  That means, even if SYSTEM or Administrators have full access to the
  file, the POSIX permssion bits will not reflect that fact.  And while
  other users get access denied based on the mask value, SYSTEM and
  Administrators will never get access denied based on the mask.

  This should help in Cygwin<->Windows interoperability.

- The new code now handles the S_ISGID bit on directories as on Linux:
  Setting S_ISGID on a directory causes new files and subdirs created
  within to inherit its group, rather than the primary group of the user
  who created the file.

  But note that this only works for files and directories created by
  Cygwin processes.  The group change is not supported automagically by
  Windows, so the process creating the new file has to change the file
  group silenmtly after creating the file.

Apart from bugfixing the aforementioned code, there's still work to do
on the getfacl and setfacl tools:

- The getfacl tool needs an extension in output to print the effective
  permissions on users and groups restricted by the mask value.

- The setfacl tool needs code to compute the new mask value, just as
  on Linux.

I'm looking into that next week.

Please give the new code a try.  I uploaded new 2015-04-10 developer
snapshots to https://cygwin.com/snapshots/

Probably next week I will also create a test release which can be
installed via setup-x86{_64}.exe.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgp88BPYfRcNi.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]