From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=EXjA=36=t-online.de=Christian.Franke@sourceware.org>
Received: from mailout07.t-online.de (mailout07.t-online.de [194.25.134.83])
	by sourceware.org (Postfix) with ESMTPS id 4F0273858D1E
	for <cygwin-apps@cygwin.com>; Wed, 30 Nov 2022 18:50:01 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 4F0273858D1E
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=t-online.de
Authentication-Results: sourceware.org; spf=none smtp.mailfrom=t-online.de
Received: from fwd75.dcpf.telekom.de (fwd75.aul.t-online.de [10.223.144.101])
	by mailout07.t-online.de (Postfix) with SMTP id 5AF2210926;
	Wed, 30 Nov 2022 19:49:59 +0100 (CET)
Received: from [192.168.2.101] ([87.187.32.177]) by fwd75.t-online.de
	with (TLSv1.3:TLS_AES_256_GCM_SHA384 encrypted)
	esmtp id 1p0S9d-1j5Rrs0; Wed, 30 Nov 2022 19:49:57 +0100
Subject: Re: [PATCH setup] Add new option --chown-admin
To: Jon Turney <jon.turney@dronecode.org.uk>,
 "cygwin-apps@cygwin.com" <cygwin-apps@cygwin.com>
References: <3096f251-d7ca-073b-d7d7-751b7fe3e8c1@t-online.de>
 <405df5c6-ce47-0254-ae4d-4a23ff3533d5@dronecode.org.uk>
 <e7e0a117-1f85-a59c-5654-010652be5044@t-online.de>
 <5b45ccdc-da32-ff11-037f-c00828f397c5@dronecode.org.uk>
 <cc769e09-6a2b-ccdd-12f6-0f596e25d7d9@t-online.de>
 <d7d51d1c-f6d5-2fac-3e6d-86714efd0734@dronecode.org.uk>
 <32655945-5075-0823-2a1d-b72caa4b7791@t-online.de>
 <e69c5ac7-e68e-5df2-41d8-713effd59fdc@dronecode.org.uk>
 <e47f723c-fc52-4a34-6476-186ab8890cf9@dronecode.org.uk>
 <038c3558-b424-3e4b-9de6-bd3eb6147406@t-online.de>
 <80661301-d584-3af0-e588-1ec10f3b4108@dronecode.org.uk>
 <9f1a7088-4f4f-999b-3076-be347477c969@t-online.de>
 <c2a1f63a-fa6b-5b8c-ad3d-9db11d9ff88e@t-online.de>
 <0d8da07f-56dc-063d-d735-347d14ef441c@dronecode.org.uk>
 <af67d7f0-f792-df43-ea25-e76162ef37e9@t-online.de>
 <0824aef9-3abb-4959-6007-48271f407582@dronecode.org.uk>
 <064f7b6b-ff09-8544-f444-63e92eea1b4d@t-online.de>
 <d8d3e4a7-288f-247c-c797-0db4f9eef209@dronecode.org.uk>
From: Christian Franke <Christian.Franke@t-online.de>
Message-ID: <7368fec8-7774-5c5b-cd80-bf823038eac9@t-online.de>
Date: Wed, 30 Nov 2022 19:49:57 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101
 SeaMonkey/2.53.14
MIME-Version: 1.0
In-Reply-To: <d8d3e4a7-288f-247c-c797-0db4f9eef209@dronecode.org.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-TOI-EXPURGATEID: 150726::1669834197-2FFFE535-AD261D91/0/0 CLEAN NORMAL
X-TOI-MSGID: c39840ab-d3cc-4d58-b796-2be3b6d79cc3
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,BODY_8BITS,FREEMAIL_FROM,KAM_DMARC_STATUS,KAM_LAZY_DOMAIN_SECURITY,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <cygwin-apps.cygwin.com>

Jon Turney wrote:
> On 04/10/2022 13:05, Christian Franke wrote:
>> Jon Turney wrote:
>>>
>>> Corinna had some concerns about making the owner a group, rather 
>>> than a user, which I believe historically caused some difficulties 
>>> in Cygwin, so I think I'll need to understand that better before 
>>> making a decision about this change.
>>
>> I see. Do you have any info about these difficulties?
>> Are these still relevant? If yes, let's forget this patch.
>
> After a bit of research, I think the issue was that if you make user 
> owner and group owner map onto the same Windows SID, certain unix 
> access permissions cannot be reversibly mapped onto a Windows ACL.
>
> (e.g you can't set the mode to 0600, because when you read that back, 
> it's mode is 0660. Some programs e.g ssh check for and require 0600 
> permission on some files)
>

No and yes.

No, a quick test shows that stat() returns what chmod() sets even in 
this case:

# for p in 600 640 660 644 664; do f=perm-$p &&
     touch $f && chown Administrators.Administrators $f &&
     chmod $p $f && ls -l $f
   done
-rw------- 1 Administrators Administrators 0 Nov 30 18:39 perm-600
-rw-r----- 1 Administrators Administrators 0 Nov 30 18:39 perm-640
-rw-rw---- 1 Administrators Administrators 0 Nov 30 18:39 perm-660
-rw-r--r-- 1 Administrators Administrators 0 Nov 30 18:39 perm-644
-rw-rw-r-- 1 Administrators Administrators 0 Nov 30 18:39 perm-664

The above likely works due to some heuristic based on ACE order.

Yes, the effective permissions of 0600 are always the same as 0660 
because the first ACE is already for the group:

# icacls perm-\*
perm-600 BUILTIN\Administrators:(R,W,D,WDAC,WO)
          BUILTIN\Administrators:(Rc,S,RA)
          Everyone:(Rc,S,RA)

perm-640 BUILTIN\Administrators:(R,W,D,WDAC,WO)
          BUILTIN\Administrators:(R)
          Everyone:(Rc,S,RA)

perm-644 BUILTIN\Administrators:(R,W,D,WDAC,WO)
          BUILTIN\Administrators:(R)
          Everyone:(R)

perm-660 BUILTIN\Administrators:(R,W,D,WDAC,WO)
          BUILTIN\Administrators:(R,W)
          Everyone:(Rc,S,RA)

perm-664 BUILTIN\Administrators:(R,W,D,WDAC,WO)
          BUILTIN\Administrators:(R,W)
          Everyone:(R)

(Tests done on German Windows and localized names renamed afterwards).


> This perhaps isn't terribly relevant to files created by setup

It may depend on how access checks are done by ssh etc.. (mode bits or 
effective permissions).