Duplicate ACLs? - Can't copy file even with Admin permissions

Corinna Vinschen corinna-cygwin@cygwin.com
Wed Jan 12 09:33:59 GMT 2022 

On Jan 10 14:46, Corinna Vinschen wrote:
> On Jan 10 11:07, Corinna Vinschen wrote:
> > On Jan  7 15:56, cyg...@kosowsky.org wrote:
> > > > Corinna Vinschen wrote:
> > > > On Jan  6 16:11, cyg...@kosowsky.org wrote:
> > > > It is.  I realized belatedly, that 3da9e136.acl is apparently a
> > > > directory, not a file.
> > > 
> > > It's actually a file...
> > 
> > This is weird.  The meaning of the OI and CI markers are "Object
> > inheritance" and "Container inheritance".  These bits only make sense
> > for directories and they control how ACEs are inherited by child objects
> > (files) and child containers (subdirs).
> > [...]
> > I'll have a look into the sources later, but I sure would prefer if
> > I could create such a file locally.
> 
> I tried to create a file with equivalent ACL including the inheritence
> flags on W7, W10 and W11, but to no avail.

Success!  I hacked a Q&D application which opens a file, reads its
security descriptor (SD) and just adds the object and container inherit
flags to all its DACL' ACEs and writes the SD back.  Albeit Windows
tools and some of the security functions under the hood don't allow to
add inherit flags to files, some functions just write the SD verbatim
without checking.

So I was finally able to reproduce your issue:

  $ ./hackup acltest
  $ icacls acltest
  acltest NT AUTHORITY\SYSTEM:(OI)(CI)(F)
          Everyone:(OI)(CI)(RX)
          BUILTIN\Administrators:(OI)(CI)(F)

  Successfully processed 1 files; Failed processing 0 files
  $ getfacl acltest
  # file: acltest
  # owner: Administrators                                                   
  # group: SYSTEM                                                           
  user::rwx                                                                 
  group::rwx                                                                
  other::r-x                                                                
  user::rwx                                                                 
  group::rwx                                                                
  group:SYSTEM:rwx                                                          
  mask::rwx                                                                 
  other::r-x                                                                

The Cygwin DLL reads the DACL and converts it to a POSIX ACL.  An ACE
with inherit flags set is converted to a POSIX access ACE and
additionally to a POSIX default ACE.  The latter is done independently
of the file type.  The calling function (still in Cygwin) doesn't expect
default ACEs for files and treats them as access ACEs.  That's what
you see in the getfacl output above.

I fixed this in Cygwin by ignoring inheritance flags unless the object
is a directory, so the core function in Cygwin only creates default
ACEs for directories.  The result when calling getfacl on such a file
is thus:

  $ getfacl acltest
  # file: acltest
  # owner: Administrators                                                   
  # group: SYSTEM                                                           
  user::rwx                                                                 
  group::rwx                                                                
  other::r-x                                                                

I uploaded a developer snapshot to https://cygwin.com/snapshots
Please give it a try.


Corinna

More information about the Cygwin mailing list