Shares with strange ACL settings

Corinna Vinschen corinna-cygwin@cygwin.com
Thu Aug 13 17:53:00 GMT 2015 

On Aug 13 18:33, Corinna Vinschen wrote:
> On Aug 12 20:59, Achim Gratz wrote:
> > Corinna Vinschen writes:
> > >> I think so, but there are likely some corner cases.  But I think that
> > >> had been proposed and shot down already, so I was trying to come up with
> > >> something less intrusive.
> > >
> > > This is relatively unintrusive.  The current user token is always
> > > available.  So if owner == current user, for every group in the file's
> > > ACL just check if it's in the current user token and, if so, add the
> > > perms of that group to the owner perms.
> > >
> > > Sounds pretty neat as an intermediate solution to me.
> > 
> > I'd play the guinea pig for that snapshot… :-)
> 
> This puzzles me a bit.  As example you gave something like
> 
>   ----rwx---+ gratz Domain Users [...] foo
> 
> Given the code in recent Cygwin versions, this shouldn't happen if the
> user gratz is member of the Domain Users group.  The current code
> doesn't test all groups in the ACL, only the primary group, but that's
> sufficient in most cases.
> 
> So this could only happen if you modify the permissions of windows files
> using Cygwin tools and Cygwin helpfully gernerates a DENY ACE for the
> owner.
> 
> I'm just not exactly sure about the way to go to get these permissions
> in a non-artificial scenario.  But I can reproduce it like this:
> 
> - The file xxx has a primary group different from the group which has
>   permissions, e.g.:
> 
>     owner:  foo
>     pgroup: foo_group
> 
>     acl: 1 entry
>       bar_group: full control
> 
> - ls -l xxx
>   ----rwx---+ 1 foo foo_group 68565 Aug 10 10:37 xxx
> 
> - $ chmod g-w xxx
> 
> - Afterwards, the POSIX-like ACL looks like this:
>   $ icacls xxx
>   xxx foo:(DENY)(S,RD,REA,X)
>       foo:(D,Rc,WDAC,WO,RA,WA)
>       foo_group:(RX)
>       Everyone:(Rc,S,RA)
>       bar_group:(RX)

Oh, I get it.  This is *because* the current Cygwin doesn't check
membership of all groups in the ACL.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150813/67c24b28/attachment.sig>

More information about the Cygwin mailing list