group permissions

Achim Gratz Stromeko@NexGo.DE
Tue Feb 10 11:49:00 GMT 2015

Corinna Vinschen <corinna-cygwin <at>> writes:
> Here's the problem:  Windows doesn't support an ACL_MASK entry, nor
> anything even remotely resembling it.

Right.  And pretending that it does is doing more harm than good, IMHO.

> o The other way to emulate writing an ACL_MASK entry would be to drop
>   permissions from all groups and secondary users so they match the
>   desired mask value.  This is secure, but in contrast to the other
>   solution it would change the secondary permissions permanently.
>   Changing the mask back would not change the permissions of the
>   secondary ACL entries back.

Please note that that the typical user in a corporate environment has no
rights to do this on network shares and even if (s)he did, it would quite
often break things for other users and is certain to draw the ire of the
share administrators just as if you'd do the same thing via WIndows' own
tools.  So please do not do this by default, there are just too many scripts
that blindly use some chmod somewhere.

> o Cygwin could emulate the mask by adding an Access-denied ACE for the
>   authenticated user SID (S-1-5-11) right after the primary group entry.
>   The permission in this ACE are the x'or value of the permissions
>   given in the mask.  Such an ACL would basically look like this:

Same issue as above, except it would be more easily reversible.

If anybody feels really strongly about these issues, they can always mount
"noacl".  We'll just have to live with how Windows implements ACL otherwise.


Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list