public inbox for cygwin-apps@cygwin.com
 help / color / mirror / Atom feed
From: Christian Franke <Christian.Franke@t-online.de>
To: Jon Turney <jon.turney@dronecode.org.uk>,
	"cygwin-apps@cygwin.com" <cygwin-apps@cygwin.com>
Subject: Re: [PATCH setup] Add new option --chown-admin
Date: Wed, 30 Nov 2022 19:49:57 +0100	[thread overview]
Message-ID: <7368fec8-7774-5c5b-cd80-bf823038eac9@t-online.de> (raw)
In-Reply-To: <d8d3e4a7-288f-247c-c797-0db4f9eef209@dronecode.org.uk>

Jon Turney wrote:
> On 04/10/2022 13:05, Christian Franke wrote:
>> Jon Turney wrote:
>>>
>>> Corinna had some concerns about making the owner a group, rather 
>>> than a user, which I believe historically caused some difficulties 
>>> in Cygwin, so I think I'll need to understand that better before 
>>> making a decision about this change.
>>
>> I see. Do you have any info about these difficulties?
>> Are these still relevant? If yes, let's forget this patch.
>
> After a bit of research, I think the issue was that if you make user 
> owner and group owner map onto the same Windows SID, certain unix 
> access permissions cannot be reversibly mapped onto a Windows ACL.
>
> (e.g you can't set the mode to 0600, because when you read that back, 
> it's mode is 0660. Some programs e.g ssh check for and require 0600 
> permission on some files)
>

No and yes.

No, a quick test shows that stat() returns what chmod() sets even in 
this case:

# for p in 600 640 660 644 664; do f=perm-$p &&
     touch $f && chown Administrators.Administrators $f &&
     chmod $p $f && ls -l $f
   done
-rw------- 1 Administrators Administrators 0 Nov 30 18:39 perm-600
-rw-r----- 1 Administrators Administrators 0 Nov 30 18:39 perm-640
-rw-rw---- 1 Administrators Administrators 0 Nov 30 18:39 perm-660
-rw-r--r-- 1 Administrators Administrators 0 Nov 30 18:39 perm-644
-rw-rw-r-- 1 Administrators Administrators 0 Nov 30 18:39 perm-664

The above likely works due to some heuristic based on ACE order.

Yes, the effective permissions of 0600 are always the same as 0660 
because the first ACE is already for the group:

# icacls perm-\*
perm-600 BUILTIN\Administrators:(R,W,D,WDAC,WO)
          BUILTIN\Administrators:(Rc,S,RA)
          Everyone:(Rc,S,RA)

perm-640 BUILTIN\Administrators:(R,W,D,WDAC,WO)
          BUILTIN\Administrators:(R)
          Everyone:(Rc,S,RA)

perm-644 BUILTIN\Administrators:(R,W,D,WDAC,WO)
          BUILTIN\Administrators:(R)
          Everyone:(R)

perm-660 BUILTIN\Administrators:(R,W,D,WDAC,WO)
          BUILTIN\Administrators:(R,W)
          Everyone:(Rc,S,RA)

perm-664 BUILTIN\Administrators:(R,W,D,WDAC,WO)
          BUILTIN\Administrators:(R,W)
          Everyone:(R)

(Tests done on German Windows and localized names renamed afterwards).


> This perhaps isn't terribly relevant to files created by setup

It may depend on how access checks are done by ssh etc.. (mode bits or 
effective permissions).


      reply	other threads:[~2022-11-30 18:50 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-06  7:14 Christian Franke
2022-07-06 13:53 ` Jon Turney
2022-07-06 16:34   ` Christian Franke
2022-07-07 11:38     ` Jon Turney
2022-07-07 14:45       ` Christian Franke
2022-07-07 14:59         ` Christian Franke
     [not found]         ` <d7d51d1c-f6d5-2fac-3e6d-86714efd0734@dronecode.org.uk>
     [not found]           ` <32655945-5075-0823-2a1d-b72caa4b7791@t-online.de>
2022-07-12 12:50             ` Jon Turney
2022-08-23 15:20               ` Jon Turney
2022-08-23 17:27                 ` Christian Franke
2022-08-26 13:27                   ` Jon Turney
2022-08-26 15:02                     ` Christian Franke
2022-08-28 17:33                       ` Christian Franke
2022-09-02 13:56                         ` Jon Turney
2022-09-02 15:17                           ` Christian Franke
2022-09-15 17:45                             ` Jon Turney
2022-10-04 12:05                               ` Christian Franke
2022-11-29 21:37                                 ` Jon Turney
2022-11-30 18:49                                   ` Christian Franke [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7368fec8-7774-5c5b-cd80-bf823038eac9@t-online.de \
    --to=christian.franke@t-online.de \
    --cc=cygwin-apps@cygwin.com \
    --cc=jon.turney@dronecode.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).