Too Many Permissions Stripped In 1.7.35?

Corinna Vinschen corinna-cygwin@cygwin.com
Fri Feb 27 13:37:00 GMT 2015


On Feb 26 21:27, random user wrote:
> Regarding Corrinne's proposal to treat SYSTEM's ACE distinct from others
> in forming the apparent group permission "mask":
> 
> Might it be sensible to do somewhat similar for the case where a file's
> owner is the same as its primary group (i.e., same SID)?  It has seemed
> the chmod behavior for this case has long been what's proposed (at least
> for the typical case of a chmod leaving the user with wider privileges
> than the group), but the group permission bits have appeared set to ls
> and other tools.  It would seem to help re ~/.ssh and other cases that
> are checked by programs wanting there to not be any group permissions.

Good point.  Right now the group permissions are == owner permissions in
the case the owner and group are the same.  Maybe it would be better to
remove all group permission bits if owner SID == group SID instead. 

Either way it's a bit puzzeling for the user because a chmod on group
permissions has no effect, but the 0 group permissions would help
security-conscious applications along.  And it would be neither exactly
a lie, nor more insecure.

Hmm...

> (Less sure I think this is really a good idea, but it'd seem consistent
> with treating SYSTEM this way given the standard default ACLs on
> /c/Users/<user>):  Should Administrators be treated the same as SYSTEM?

Nooooooo!!!1!!11!

This is exactly what I was concerned about when I formulated my
yesterday's suggestion to special-case SYSTEM.  There's no end to all
the special casing if we start with it.  Administrators is a group
is a group is a group.  Just like any other group.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150227/e68b17d7/attachment.sig>


More information about the Cygwin mailing list