Incongruence between cygwin and samba ACL handling

Abramo Bagnara
Thu Aug 14 10:55:00 GMT 2008

Symptoms (qw is a file is inside a samba share mounted with acl/smbntsec):

$ chmod 600 qw
$ stat qw
  File: `qw'
  Size: 225             Blocks: 1024       IO Block: 65536  regular file
Device: 32e0244h/53346884d      Inode: 8800419127317  Links: 1
Access: (0644/-rw-r--r--)  Uid: (12000/  abramo)   Gid: (12001/g_abramo)
Access: 2008-08-13 23:02:47.000000000 +0200
Modify: 2008-08-13 22:08:12.000000000 +0200
Change: 2008-08-13 22:08:12.000000000 +0200

As you see the permission given is 644 instead of 600.

Verifying the sources of samba 3.0.28a and cygwin cvs, I've tracked down
the problem to the following two incongruent behaviours:

1) cygwin add unconditionally FILE_READ_ATTRIBUTES and FILE_READ_EA to
each security descriptor (see alloc_sd in

2) samba maps the presence of any beetwen FILE_READ_DATA, FILE_READ_EA,
FILE_READ_ATTRIBUTES to Unix read permission (see map_nt_perms in

I think that the bug is in cygwin as I'm unable to see the reason to add
the right to read attributes when it's asked to deny read permission,
but perhaps I'm missing something.

As this situation leads to give unwanted permissions, I guess this
should considered a major bug in cygwin (or samba).

I'm willing to produce a proper patch (or to submit a bug report to
samba developers), once heard your opinions.

More information about the Cygwin-developers mailing list