This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Files created with CYGWIN have "NULL SID:(DENY)" windows ACL, inter alia
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Peter Binney <peter dot binney at gmail dot com>, cygwin at cygwin dot com
- Date: Sun, 22 Dec 2019 16:54:11 +0300
- Subject: Re: Files created with CYGWIN have "NULL SID:(DENY)" windows ACL, inter alia
- References: <CAJiKf6Ht6DA4hyVHWCocFwC5CNvkWNTMPZvitGdF-YyTgVYYfA@mail.gmail.com>
- Reply-to: cygwin at cygwin dot com
Greetings, Peter Binney!
> Creating a file using "> newfile", "icacls newfile" shows various DENY settings:
> newfile NULL SID:(DENY)(Rc,S,WEA,X,DC)
> JCPR-DELL-3\peter:(R,W,D,WDAC,WO)
> NT AUTHORITY\SYSTEM:(DENY)(S,X)
> BUILTIN\Administrators:(DENY)(S,X)
> BUILTIN\Users:(DENY)(S,X)
> JCPR-DELL-3\None:(R)
> NT AUTHORITY\SYSTEM:(RX,W)
> BUILTIN\Administrators:(RX,W)
> BUILTIN\Users:(RX,W)
> Everyone:(R)
> Whereas on a file created from Windows Explorer I see:
> New Text Document.txt BUILTIN\Users:(I)(M)
> Everyone:(I)(RX)
> JCPR-DELL-3\peter:(I)(F)
> BUILTIN\Administrators:(I)(F)
> NT AUTHORITY\SYSTEM:(I)(F)
> "mkpasswd" and "mkgroup"
Please use getent
> both show I (user "peter") have expected
> entries in /etc/passwd and /etc/group (I attach both)
Delete both from your system, they are not needed, except for extremely rare
cases.
> Running "whoami" commands from powershell shows:
> PS E:\temp> whoami /groups
> GROUP INFORMATION
> -----------------
> Group Name Type
> SID Attributes
> =============================================================
> ================ ============
> ==================================================
> Everyone
> Well-known group S-1-1-0 Mandatory group, Enabled by default,
> Enabled group
> NT AUTHORITY\Local account and member of Administrators group
> Well-known group S-1-5-114 Group used for deny only
> BUILTIN\Administrators Alias
> S-1-5-32-544 Group used for deny only
> BUILTIN\Performance Log Users Alias
> S-1-5-32-559 Mandatory group, Enabled by default, Enabled
> group
> BUILTIN\Users Alias
> S-1-5-32-545 Mandatory group, Enabled by default, Enabled
> group
> NT AUTHORITY\INTERACTIVE
> Well-known group S-1-5-4 Mandatory group, Enabled by default,
> Enabled group
> CONSOLE LOGON
> Well-known group S-1-2-1 Mandatory group, Enabled by default,
> Enabled group
> NT AUTHORITY\Authenticated Users
> Well-known group S-1-5-11 Mandatory group, Enabled by default,
> Enabled group
> NT AUTHORITY\This Organization
> Well-known group S-1-5-15 Mandatory group, Enabled by default,
> Enabled group
> NT AUTHORITY\Local account
> Well-known group S-1-5-113 Mandatory group, Enabled by default,
> Enabled group
> LOCAL
> Well-known group S-1-2-0 Mandatory group, Enabled by default,
> Enabled group
> NT AUTHORITY\NTLM Authentication
> Well-known group S-1-5-64-10 Mandatory group, Enabled by default,
> Enabled group
> Mandatory Label\Medium Mandatory Level Label
> S-1-16-8192
> PS E:\temp> whoami
> jcpr-dell-3\peter
> PS E:\temp> whoami /user
> USER INFORMATION
> ----------------
> User Name SID
> ================= =============================================
> jcpr-dell-3\peter S-1-5-21-1468824806-2062748802-729869357-100
> I also attach cygcheck.out
See my earlier message, I strongly suggest "noacl" mount option for
directories outside Cygwin root.
No windows program expects stupid access restrictions produces by basic POSIX
permissions.
--
With best regards,
Andrey Repin
Sunday, December 22, 2019 15:35:08
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple