This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: CYGWIN=ntsec, "cp -a", and NT acls

From: Brian Dessent <brian at dessent dot net>
To: cygwin at cygwin dot com
Date: Fri, 05 Dec 2008 21:00:31 -0800
Subject: Re: CYGWIN=ntsec, "cp -a", and NT acls
References: <4939CF79.5010405@qualcomm.com> <4939DED2.EB875495@dessent.net> <4939FAEC.4050908@qualcomm.com>
Reply-to: cygwin at cygwin dot com

Rob Walker wrote:

> [RGW] Hm, looks simple...  Why isn't this part of "cp -a" ?

You have to understand the history of things.  In the classic unix
world, a file has an owner, a group, a mode, and several timestamps. 
>From the standpoint of what "cp -a" can manipulate portably, that's
basically it.  All of those things are neatly returned by stat(3) and
are easily settable/copyable across various filesystems.

Extended attributes and/or ACLs are a relatively new introduction --
'new' relative to the fact that traditional unix filesystems are more
than 30 years old.  They are also inherently very filesystem and
operating system-specific: everybody does it slightly differently. 
Check out this overview of the subtle differences of a dozen different
platforms' ACL APIs:
<http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob_plain;f=doc/acl-resources.txt;hb=HEAD>.

It's very hard for a general program like 'cp' to know about all these
various ACL APIs, let alone have any idea how it would go about
translating the semantics of one to another, which would be required for
copying across two different filesystems.  Remember that 'cp' comes from
GNU coreutils which is a set of generic tools that target dozens of
various *nix-ish platforms, whereas the implementations of the getfacl
and setfacl commands come from Cygwin itself which has the specific
knowledge of Windows NT ACLs.

> [RGW] This differs from my experience.  Many Windows tools are able to 
> (built to?) twiddle +R and overwrite.  They do not seem to be able to 
> handle when the ACLs deny them permission, though.

Again, attributes have zero to do with security or permissions.  They
are just a few extra advisory bits that the application (or C runtime)
is free to interpret in any way it wants; they offer nothing in the form
of OS-enforced restrictions.  The Cygwin feature of using the 'backup
privilege' to emulate root semantics is about bypassing ACLs, not
attributes.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- Re: CYGWIN=ntsec, "cp -a", and NT acls
  - From: Rob Walker

References:
- CYGWIN=ntsec, "cp -a", and NT acls
  - From: Rob Walker
- Re: CYGWIN=ntsec, "cp -a", and NT acls
  - From: Brian Dessent
- Re: CYGWIN=ntsec, "cp -a", and NT acls
  - From: Rob Walker

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]