[TESTERS needed] New POSIX permission handling
David Macek
david.macek.0@gmail.com
Sat Apr 11 09:02:00 GMT 2015
On 11. 4. 2015 10:47, Achim Gratz wrote:
> Corinna Vinschen writes:
>> - To accommodate Windows default ACLs, the new code ignores SYSTEM and
>> Administrators group permissions when computing the MASK/CLASS_OBJ
>> permission mask on old ACLs, and it doesn't deny access to SYSTEM and
>> Administrators group based on the value of MASK/CLASS_OBJ when
>> creating the new ACLs.
Out of curiosity, does the code somehow distinguish ACLs that don't have these default permissions (or have different permissions set for SYSTEM / Administrators)?
> Since you've now opened that can of worms of who is considered "root",
> what about "Domain Administrators" or "Power Users", for starters?
>
>> That means, even if SYSTEM or Administrators have full access to the
>> file, the POSIX permssion bits will not reflect that fact. And while
>> other users get access denied based on the mask value, SYSTEM and
>> Administrators will never get access denied based on the mask.
>
> If you want to put this to better use in larger settings it would seem
> preferrable if it was possible to define a list of users to treat this
> way in fstab. I think this would help with the braindead settings
> NetApp filers are set up these days by default. That generally means
> that some domain group(s) need to be considered root on the share
> depending on which share you are accessing.
Power Users don't have access to (almost) everything, like Administrators do. The Domain Administrators group is a member of Administrators, so unless I'm missing something, there's no reason to have them explicitely in the DACL. I'm not arguing against configurability though.
--
David Macek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4234 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150411/fd8a4586/attachment.p7s>
More information about the Cygwin
mailing list