Too Many Permissions Stripped In 1.7.35?

Corinna Vinschen corinna-cygwin@cygwin.com
Fri Feb 27 00:49:00 GMT 2015


On Feb 26 23:29, Corinna Vinschen wrote:
> Having discussed this, I can understand that it may be desirable to
> skip the permissions of the SYSTEM account in these circumstances:
> 
> - Computing the POSIX ACL mask and default mask value and thus in
>   the permission mask as printed by `ls -l'.

Trying to be more exact:

- Right now, the POSIX ACL mask value includes the permissions of the
  SYSTEM account, if it's in the ACL.  The function collecting the ACL
  entries can easily skip adding the permissions of SYSTEM to the mask
  value.  Thus, the mask value only reflects the permissions of all
  other users and groups, and so ls -l will not show rwx group perms
  only because SYSTEM has rwx perms.  Example:

  Today:

    $ getfacl .ssh/authorized_keys
    # file: authorized_keys
    # owner: corinna
    # group: vinschen
    user::rw-
    group::---
    group:SYSTEM:rwx
    mask:rwx		<= !!!!!
    other:---

    [~/.ssh](64)$ ls -l authorized_keys
    -rw-rwx---+ 1 corinna vinschen 1025 Jun 15  2014 authorized_keys
	^^^
	!!!

  With the proposed change:

    # file: authorized_keys
    # owner: corinna
    # group: vinschen
    user::rw-
    group::---
    group:SYSTEM:rwx
    mask:---		<= !!!!!
    other:---

    [~/.ssh](64)$ ls -l authorized_keys
    -rw-------+ 1 corinna vinschen 1025 Jun 15  2014 authorized_keys
        ^^^
	!!!

> - Changing SYSTEM permissions when calling chmod, unless SYSTEM is the
>   file's owning group.

  A chmod can easily skip the SYSTEM ACE when applying the group perms
  to all secondary users and groups in the ACL.  So a SYSTEM rwx stays
  rwx.  Unless, of course, SYSTEM is the owning group of the file.
  Example:

  Today:

    $ chmod 600 .ssh/authorized_keys
    $ getfacl .ssh/authorized_keys
    # file: authorized_keys
    # owner: corinna
    # group: vinschen
    user::rw-
    group::---
    group:SYSTEM:---	<= !!!!!
    mask:---
    other:---

  With the proposed change:

    $ chmod 600 .ssh/authorized_keys
    $ getfacl .ssh/authorized_keys
    # file: authorized_keys
    # owner: corinna
    # group: vinschen
    user::rw-
    group::---
    group:SYSTEM:rwx	<= !!!!!
    mask:---
    other:---

> Changing this in the code is pretty straightforward. but I'm not willing
> to add another mount option for this behaviour.  Either Cygwin ignores
> SYSTEM in the aforementioned circumstances or it doesn't.
> 
> Crucial vote starting... now.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150227/227ed81b/attachment.sig>


More information about the Cygwin mailing list