Security Settings for directories created in Cygwin (+ executable bit on files)

Corinna Vinschen corinna-cygwin@cygwin.com
Tue Aug 12 12:55:00 GMT 2014 

On Aug 12 10:51, Kurt Franke wrote:
> Sebastien Vauban <sva-news@...> writes:
> > [...]
> > Asking Cygwin to stop playing with the Windows ACL, by mounting my
> > personal directories as "noacl"?  Well, that means I won't be able to
> > use `chmod' anymore, for setting a script file as "executable", then.
> > And I'll have to use a Windows tool to do so, such as `cacls'.
> ...
> 
> Hello,
> 
> there is a possibility to get bettter permission settings on files created
> by a windows program inside a directory created by cygwin.
> you must create special ACE's on this directory like in the following
> example with german names used in one of my scripts:
> 
> icacls "$dir" /remove ERSTELLER-BESITZER
> icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)'
> icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)'

That's "CREATOR OWNER" in english systems.

> icacls "$dir" /remove ERSTELLERGRUPPE
> icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)'
> icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)'
> icacls "$dir" /remove Jeder
> icacls "$dir" /grant 'Jeder:(RX)'
> icacls "$dir" /grant 'Jeder:(OI)(IO)(R)'
> icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)'

"CREATOR GROUP"

> It creates different Default ACE's for files an directories and these will
> be inherited correctly when using non-cygwin-windows programs. For
> dirctories the execute permission is inherited b ut for files it is not
> inherited.
> [...]
> To have those DEFAULT ACE's of general use for integration of cygwin and
> windows without always executing a script after creating a new directory in
> cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in
> cygwin directory creation also, not onle the simple ones.
> A drawback for this may be the fact the gefacl/setfacl utilities does not
> understand those ACE's and thus  don't show / don't set  it.

It complicates handling of default permissions in the acl system
calls a lot.  You'd have to handle two CREATOR OWNER ACEs as a single
"default:user" entry.  Same for "CREATOR GROUP".  I'm not saying this is
impossible to implement, just that it's a good amount of work.

http://cygwin.com/acronyms/#PGA


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140812/e24fea87/attachment.sig>

More information about the Cygwin mailing list