Re[2]: Issues with ACL settings after updating to the latest cygwin.dll

[xnor <xnoreq at gmail dot com>]

> Which warning do you mean here?
The "permissions out of order" one. This was not the case before, at 
least not on my installation, so I don't see how this can be called 
normal.


> Come on, be fair.  The new ACL handling started out early 2015, got a
> break when I realized that it doesn't work as is, and then got a new
> test phase starting back in September.  Except for minor bugs it seemed
> to work rather well.  Nobody reported this effect in all the 4 months 
> of
> test period.  You don't actually think I wouldn't have fixed it prior
> to the release if I had known about it, do you?
2.4.0-1 was released ~3 weeks ago. I had actually upgraded a few days 
earlier to a TEST version and noticed that a cygwin downloaded exe 
couldn't be executed but assumed the exe was corrupt and didn't 
investigate...
Then a few days ago the same thing happened again. Now I'm here.

Anyway, clearly most users are just that: users, and not testers that 
will install and test TEST versions.


> They are not supposed to be modifiable in Explorer.  If you want to
> change permissions on a Cygwin ACL, use chmod or setfacl.
Is this a joke?


> >  Here is the output from icacls /saveacl for some file:
> >  
> > D:P(D;;RPWPDTRC;;;S-1-0-0)(A;;0x1f019f;;;S-1-5-21-559282050-488988736-2019639472-1001)(D;;WP;;;AU)(D;;WP;;;SY)(D;;WP;;;BA)(D;;WP;;;BU)(A;;FR;;;S-1-5-21-559282050-488988736-2019639472-513)(A;;0x1201bf;;;AU)(A;;0x1201bf;;;SY)(A;;0x1201bf;;;BA)(A;;0x1200a9;;;BU)(A;;FR;;;WD)
> Doh, I'm sorry, but I can't read this format very well.  Can you please
> again send the standard icacls output as well as the output from 
> getfacl
> of the parent dir and the created file?  I'd like to have this problem
> fixed, but I need your help.  As I said, it works fine for me and 
> without
> being able to reproduce I'm somewhat at a loss.
You can import this by putting it in a textfile and using icacls 
testfile /restore acl.txt.
As I've said before, my Windows is German. icacls output will be 
localized. Do you really want that?
What I posted is the only portable way to share ACLs.


> >  Here is what's "normal" for Windows if I create a file under a new 
> > folder on
> >  C: in Explorer:
>
> If you don't want POSIX perms, but standard Windows perms, use the 
> "noacl"
> mount option.  See 
> https://cygwin.com/cygwin-ug-net/using.html#mount-table
I guess that is my only option right now.

> >  Here is what I would expect:
> >  MyUser is in the group Administrators. Given the inherited 
> > permissions above
> >  a Windows-created file should be shown as "-rwxrwxr--+ MyUser
> >  Administrators"?
>
> Sorry, can't do that, *unless* you make "Administrators" the primary
> group in your user token(*).
Ok, so the group is "None". No big deal.

So what about fixing the permissions like I described?
So the permissions would be "-rwx------+ MyUser None" in Cygwin for a 
Windows-created file with default ACL.

By using the inherited default ACLs there should be at most 3 additional 
ACLs (+1 for NULL SID whatever that is doing):
- deny r/w/x for user ("MyUser")
- allow r/w/x for group ("None")
- allow r/w/x for other ("Everyone")

And leaving the inherited ones untouched, right?
But if you scroll up you will see that in my system Cygwin kills the 
inheritance and I end up with 12 new ACL entries for each file.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple