[TESTERS needed] New POSIX permission handling

Ernie Rael err@raelity.com
Sat Apr 11 16:26:00 GMT 2015 

I'm primarily a lurker, reading this list hoping things soak in a bit. 
So I may be off base on this.

In the table below, describing "NULL DENY access mask", looks like 
there's a typo concerning read/execute. (of course it might just be a 
windows mapping peculiarity that I really didn't want to know about ;-)

-ernie

On 4/11/2015 3:07 AM, Corinna Vinschen wrote:
> On Apr 11 11:40, Corinna Vinschen wrote:
>> On Apr 10 19:00, Steven Penny wrote:
>>> On Fri, Apr 10, 2015 at 5:07 AM, Corinna Vinschen wrote:
>>>> Please give the new code a try.  I uploaded new 2015-04-10 developer
>>>> snapshots to https://cygwin.com/snapshots/
>>> Here is the test I ran:
>>>
>>>      $ cd /cygdrive/c
>>>
>>>      $ touch ~/{alpha,bravo}.sh ~+/{charlie,delta}.sh
>>>
>>>      $ chmod +x ~/bravo.sh ~+/delta.sh
>>>
>>>      $ ls -l --color ~/{alpha,bravo}.sh ~+/{charlie,delta}.sh
>>>      -rw-rw-r--+ 1 John None 0 Apr 10 16:51 /cygdrive/c/charlie.sh
>>>      -rwxrwxr-x+ 1 John None 0 Apr 10 16:51 /cygdrive/c/delta.sh    (green)
>>>      -rw-r--r--  1 John None 0 Apr 10 16:51 /home/John/alpha.sh
>>>      -rwxrwxr-x  1 John None 0 Apr 10 16:51 /home/John/bravo.sh     (green)
>>>
>>> So "charlie.sh" looks strange because it has that extra write permission.
>>> However this is not a big deal for me. My concern was that everything was
>>> showing up executable (green) when running "ls --color". So overall this is an
>>> improvement, thanks.
>> What is '~+'?  Is that some weird bash feature?
>>
>> Did you check the ACL?  The ACL before and after the change should
>> explain what happened.  Check it with getfacl *and* icacls to get
>> an idea what it looks like, and compare the result with the POSIX
>> ACL rules, as outlined on, e.g., http://linux.die.net/man/5/acl.
> On second thought, what you need to know is what the NULL DENY ACE looks
> like when looking at it in icacls.
>
> The following bits in the NULL DENY access mask are used:
>
>    Windows access    <->   POSIX access
>    --------------          ------------
>    FILE_READ_DATA          S_ISVTX
>    FILE_WRITE_DATA         S_ISGID
>    FILE_APPEND_DATA        S_ISUID
>
>    FILE_READ_EA            MASK S_IXOTH  (POSIX execute perms)
>    FILE_WRITE_EA           MASK S_IWOTH  (POSIX write perms)
>    FILE_EXECUTE            MASK S_IROTH  (POSIX read perms)

Are read and execute swapped intentionally in the above?

>
>    FILE_DELETE_CHILD       Set if MASK is valid
>
>    READ_CONTROL            Set to mark this as a "new style" ACL.
>
>    SYNCHRONIZE             Has no meaning, but icacls has a bug in
>                            printing the access mask of DENY ACEs.
>
> Same bits are used in the inheritable NULL DENY, but S_ISVTX and S_ISUID
> should never be set, because they are not supposed to be inherited,
>
>
> HTH,
> Corinna
>


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list