Too Many Permissions Stripped In 1.7.35?

Andrey Repin anrdaemon@yandex.ru
Fri Feb 27 05:52:00 GMT 2015


Greetings, Corinna Vinschen!

>> Having discussed this, I can understand that it may be desirable to
>> skip the permissions of the SYSTEM account in these circumstances:
>> 
>> - Computing the POSIX ACL mask and default mask value and thus in
>>   the permission mask as printed by `ls -l'.

SYSTEM is Windows equivalent of 'root' account. While in Linux root have
implicit rights, this is not true for Windows. You have to, either, explicitly
grant access rights for SYSTEM, or, again, explicitly grant SeBackup/Restore
privilege to relevant user.
Said that, SYSTEM account should be treated as implicit and ignored, unless
directly mentioned as file owner, as you suggested.

> Trying to be more exact:

> - Right now, the POSIX ACL mask value includes the permissions of the
>   SYSTEM account, if it's in the ACL.  The function collecting the ACL
>   entries can easily skip adding the permissions of SYSTEM to the mask
>   value.  Thus, the mask value only reflects the permissions of all
>   other users and groups, and so ls -l will not show rwx group perms
>   only because SYSTEM has rwx perms.  Example:

>   Today:

>     $ getfacl .ssh/authorized_keys
>     # file: authorized_keys
>     # owner: corinna
>     # group: vinschen
>     user::rw-
>     group::---
>     group:SYSTEM:rwx
>     mask:rwx            <= !!!!!
>     other:---

>     [~/.ssh](64)$ ls -l authorized_keys
>     -rw-rwx---+ 1 corinna vinschen 1025 Jun 15  2014 authorized_keys
>         ^^^
>         !!!

>   With the proposed change:

>     # file: authorized_keys
>     # owner: corinna
>     # group: vinschen
>     user::rw-
>     group::---
>     group:SYSTEM:rwx
>     mask:---            <= !!!!!
>     other:---

>     [~/.ssh](64)$ ls -l authorized_keys
>     -rw-------+ 1 corinna vinschen 1025 Jun 15  2014 authorized_keys
>         ^^^
>         !!!

>> - Changing SYSTEM permissions when calling chmod, unless SYSTEM is the
>>   file's owning group.

>   A chmod can easily skip the SYSTEM ACE when applying the group perms
>   to all secondary users and groups in the ACL.  So a SYSTEM rwx stays
>   rwx.  Unless, of course, SYSTEM is the owning group of the file.
>   Example:

>   Today:

>     $ chmod 600 .ssh/authorized_keys
>     $ getfacl .ssh/authorized_keys
>     # file: authorized_keys
>     # owner: corinna
>     # group: vinschen
>     user::rw-
>     group::---
>     group:SYSTEM:---    <= !!!!!
>     mask:---
>     other:---

>   With the proposed change:

>     $ chmod 600 .ssh/authorized_keys
>     $ getfacl .ssh/authorized_keys
>     # file: authorized_keys
>     # owner: corinna
>     # group: vinschen
>     user::rw-
>     group::---
>     group:SYSTEM:rwx    <= !!!!!
>     mask:---
>     other:---

>> Changing this in the code is pretty straightforward. but I'm not willing
>> to add another mount option for this behaviour.  Either Cygwin ignores
>> SYSTEM in the aforementioned circumstances or it doesn't.
>> 
>> Crucial vote starting... now.


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 27.02.2015, <04:38>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list