ACEs and ACLs
J. Terry Corbet
terry.corbet@gmail.com
Sun Mar 17 00:05:59 GMT 2024
I have been using Cygwin for a long, long time. That said, I would have
to admit there is a good deal about the architecture and infrastructure
I have never really investigated which is a huge compliment to those of
you who maintain this wonderful framework. It mostly just works reliably
and I've seldom needed to look beneath the covers.
I am now, however, having major difficulties which are attributable to
two fundamental changes in my environment, so let me first state what
that is. I have my private, in-home network configured to share
multiple workstations and laptops via Ethernet or Wifi using SMB/CIFS
[Windows Features setting] and access control based on the facts that
a.) I have the same account name and b.) same password on all devices
_and_ 3.) I am the administrator of each of them.
For some three decades of different versions of Windows and Cygwin this
has allowed me to operate from any particular workstation with access to
almost every storage device on the network no matter to which specific
processor those devices were attached. Whether the file permissions
covering the ability to create or delete a file, read or write a file,
was coming from a cygwin program or some windows application, even when
there were some fat partitions and some ntfs partitions, it was nearly
seamless.
So what has changed? First, I unfortunately lost a motherboard last
fall and struggling to recover, I had no real choice but to purchase a
newer motherboard with a newer processor and the newer motherboard no
longer supported booting from two Windows 7 instances that had coexisted
with the primary Windows 10 instance on that hardware.. Next, I had to
build another new system in order to begin to migrated to Windows 11.
So, as we speak my shared drives are all on hosts running Windows 10 and
11. And Cygwin -- a 32 bit version, a 64-bit version from about the
beginning of the pandemic, and the most current 64-bit version is
installed -- is installed on some of them.
Now with all that context, for which I apologize, but I think it will be
essential to understanding and remedying my current inability to
seamlessly create, modify and delete files. So, let's move to what
little I know of how I am supposed to manage that integration of a POSIX
and a Windows way of managing permissions. Number 1, I have never
touched etc/fstab -- everything has always had the well-behaved result
from the single-line default setting in that file. Number 2, despite my
attempt to better acquaint myself with these matters, I have now become
accustomed to using the icacls command both to view the state of the
ACEs assigned to any given file and to modify them by the use use of the
/reset command-line argument which always produces the state shown here
as a result of my just creating a folder in which to test:
cygshoot NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
I then create a trivial text file via vim;
vimtest.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
NW10\tcorbet:(R,W,D,WDAC,WO)
NW10\None:(DENY)(S,X)
NT AUTHORITY\Authenticated Users:(DENY)(S,X)
NT AUTHORITY\SYSTEM:(DENY)(S,X)
BUILTIN\Administrators:(DENY)(S,X)
BUILTIN\Users:(DENY)(S,X)
NW10\None:(RX)
NT AUTHORITY\Authenticated Users:(RX,W)
NT AUTHORITY\SYSTEM:(RX,W)
BUILTIN\Administrators:(RX,W)
BUILTIN\Users:(RX)
Everyone:(R)
Then I do the same thing using notepad:
FileExp.txt NT AUTHORITY\Authenticated Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
vimtest.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
NW10\tcorbet:(R,W,D,WDAC,WO)
NW10\None:(DENY)(S,X)
NT AUTHORITY\Authenticated Users:(DENY)(S,X)
NT AUTHORITY\SYSTEM:(DENY)(S,X)
BUILTIN\Administrators:(DENY)(S,X)
BUILTIN\Users:(DENY)(S,X)
NW10\None:(RX)
NT AUTHORITY\Authenticated Users:(RX,W)
NT AUTHORITY\SYSTEM:(RX,W)
BUILTIN\Administrators:(RX,W)
BUILTIN\Users:(RX)
Everyone:(R)
Moving now to a remote workstation, this is what icacls reports:
FileExp.txt NT AUTHORITY\Authenticated Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
vimtest.txt NULL SID:(DENY)(Rc,WEA,X,DC)
S-1-5-21-3338163194-2450085813-3368937723-1001:(R,W,D,WDAC,WO)
S-1-5-21-3338163194-2450085813-3368937723-513:(DENY)(X)
NT AUTHORITY\Authenticated Users:(DENY)(X)
NT AUTHORITY\SYSTEM:(DENY)(X)
BUILTIN\Administrators:(DENY)(X)
BUILTIN\Users:(DENY)(X)
S-1-5-21-3338163194-2450085813-3368937723-513:(RX)
NT AUTHORITY\Authenticated Users:(RX,W)
NT AUTHORITY\SYSTEM:(RX,W)
BUILTIN\Administrators:(RX,W)
BUILTIN\Users:(RX)
And here is the status that icacls reports back on the original, owning
workstation
after having use vim to modify the two files from that remote workstation.
FileExp.txt NULL SID:(DENY)(Rc,S,REA,WEA,X,DC)
NW10\tcorbet:(DENY)(S,RD,WD,AD,REA,WEA,X,DC)
NW10\tcorbet:(D,Rc,WDAC,WO,RA,WA)
NW10\None:(Rc,S,RA)
NT AUTHORITY\Authenticated Users:(RX,W)
NT AUTHORITY\SYSTEM:(RX,W)
BUILTIN\Administrators:(RX,W)
BUILTIN\Users:(RX)
Everyone:(Rc,S,RA)
vimtest.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
NW10\tcorbet:(R,W,D,WDAC,WO)
NW10\None:(DENY)(S,X)
NT AUTHORITY\Authenticated Users:(DENY)(S,X)
NT AUTHORITY\SYSTEM:(DENY)(S,X)
BUILTIN\Administrators:(DENY)(S,X)
BUILTIN\Users:(DENY)(S,X)
NW10\None:(RX)
NT AUTHORITY\Authenticated Users:(RX,W)
NT AUTHORITY\SYSTEM:(RX,W)
BUILTIN\Administrators:(RX,W)
BUILTIN\Users:(RX)
Everyone:(R)
If my understanding is correct concerning the precedence handling of an
ACL with multiple ACEs for the same user/ID, this result from grep
on the original, owning workstation would not surprise you:
F:\Dev\cygshoot>grep foo fileexp.txt
grep: fileexp.txt: Permission denied
but it blows me completely away. Clearly I no longer have an environment
in which I can work on any file from any workstation using any Cygwin
utilities.
What have I messed up?
More information about the Cygwin
mailing list