ACEs and ACLs

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Mar 18 10:41:44 GMT 2024


On Mar 16 18:05, J. Terry Corbet via Cygwin wrote:
> [...]
> And here is the status that icacls reports back on the original, owning
> workstation
> after having use vim to modify the two files from that remote workstation.
> 
> FileExp.txt NULL SID:(DENY)(Rc,S,REA,WEA,X,DC)
>             NW10\tcorbet:(DENY)(S,RD,WD,AD,REA,WEA,X,DC)
>             NW10\tcorbet:(D,Rc,WDAC,WO,RA,WA)
>             NW10\None:(Rc,S,RA)
>             NT AUTHORITY\Authenticated Users:(RX,W)
>             NT AUTHORITY\SYSTEM:(RX,W)
>             BUILTIN\Administrators:(RX,W)
>             BUILTIN\Users:(RX)
>             Everyone:(Rc,S,RA)
> 
> vimtest.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
>             NW10\tcorbet:(R,W,D,WDAC,WO)
>             NW10\None:(DENY)(S,X)
>             NT AUTHORITY\Authenticated Users:(DENY)(S,X)
>             NT AUTHORITY\SYSTEM:(DENY)(S,X)
>             BUILTIN\Administrators:(DENY)(S,X)
>             BUILTIN\Users:(DENY)(S,X)
>             NW10\None:(RX)
>             NT AUTHORITY\Authenticated Users:(RX,W)
>             NT AUTHORITY\SYSTEM:(RX,W)
>             BUILTIN\Administrators:(RX,W)
>             BUILTIN\Users:(RX)
>             Everyone:(R)
> 
> If my understanding is correct concerning the precedence handling of an
> ACL with multiple ACEs for the same user/ID, this result from grep
> on the original, owning workstation would not surprise you:
> 
> F:\Dev\cygshoot>grep foo fileexp.txt
> grep: fileexp.txt: Permission denied
> 
> but it blows me completely away.  Clearly I no longer have an environment
> in which I can work on any file from any workstation using any Cygwin
> utilities.
> 
> What have I messed up?

The problem is that your identity is based on the SID of every single
machine, and the machines don't know the SIDs of other machines.  The
default ACL created in Cygwin is emulating POSIX permissions.  This
becomes a problem when sharing files between machines not in the
same Windows domain.

The workaround is not to use POSIX permissions on shares.  Create
matching mount points in /etc/fstab or /etc/fstab.d/ and add the
"noacl" mount flag:

  https://cygwin.com/cygwin-ug-net/using.html#mount-table

Alternatively, you can also just add an fstab entry for the cygdrive
prefix which adds the "noacl" flag, see

  https://cygwin.com/cygwin-ug-net/using.html#cygdrive

but keep in mind that this also affects local paths if you access
them via the cygdrive prefix.


HTH,
Corinna


More information about the Cygwin mailing list