Duplicate ACLs? - Can't copy file even with Admin permissions

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Jan 10 13:46:26 GMT 2022 

On Jan 10 11:07, Corinna Vinschen wrote:
> On Jan  7 15:56, cygwin@kosowsky.org wrote:
> > > Corinna Vinschen wrote:
> > > On Jan  6 16:11, cyg...@kosowsky.org wrote:
> > > It is.  I realized belatedly, that 3da9e136.acl is apparently a
> > > directory, not a file.
> > 
> > It's actually a file...
> 
> This is weird.  The meaning of the OI and CI markers are "Object
> inheritance" and "Container inheritance".  These bits only make sense
> for directories and they control how ACEs are inherited by child objects
> (files) and child containers (subdirs).
> 
> Consequentially, if I use `icacls /restore' on a file with the DACL
> saved by you, the OI and CI bits are simply ignored.  After /restore,
> if I call /save again the resulting file looks like this:
> 
>   $ cat aclfile-after-restore.sav
>   acltest
>   D:PAI(A;;FA;;;SY)(A;;0x1200a9;;;WD)(A;;FA;;;BA)

FTR, it's even worse.  Windows ACEs with inheritence flags result in
equivalent POSIX default ACEs.  Per Linux (or better, POSIX 1003.1e
draft 17), it's an error trying to set default ACEs on files.
Therefore, a process trying to set the permissions as in your case
would result in getting errno EACCES.  Cygwin follows suit.

> However, this gave me a clue.  If this is really a file, it's a good
> chance that the inheritance flags are restricted to directories at
> one point in either the Cygwin DLL itself, or the getfacl tool.
> 
> I'll have a look into the sources later, but I sure would prefer if
> I could create such a file locally.

I tried to create a file with equivalent ACL including the inheritence
flags on W7, W10 and W11, but to no avail.  After running icacls
/restore the resulting DACL does not contain inheritance flags on none
of the systems.  Neither do the different Windows GUIs allow setting
inheritance flags on files.

I also ran getfacl under GDB and manipulated getfacl into believing that
a directory with matching ACL is actually a file, but the output generated
by getfacl was not showing the default ACEs at all:

  # file: acltest
  # owner: Administrators
  # group: SYSTEM
  user::rwx
  group::rwx
  other::r-x


¯\_(ツ)_/¯
Corinna

More information about the Cygwin mailing list