getfacl/setfacl problem

getfacl/setfacl problem

[Andrew Dalgleish]

I have some permissions screwed up.

I created a directory using the local admin account, and it inherited
permissions from the local "Users" group.
I then installed cygwin using a domain account.
I created a valid /etc/passwd and /etc/group

I used 
chgrp -R "Domain Users" /
to reset the group and chmod to reset the permissions.
Everything looks ok:

andrewd@A5-2K:/ $ls -al / | grep var
drwxr-xr-x   6 cygwin   Domain U        0 Dec 18 14:08 var

The problem is that for some reason the local "Users" group still has
access, as getfacl shows:

andrewd@A5-2K:/ $getfacl /var
# file: /var
# owner: 1228
# group: 513
user::rwx
group::r-x
group:545:rwx
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:545:rwx
default:mask::r-x
default:other::r-x

For some reason I cant get setfacl to remove the "group:545:" entries,
all I get is
"setfacl: illegal acl entries"
even the following doesn't work
touch foo
touch bar
getfacl foo | setfacl -f - bar

(As a work around, 
chgrp "Users" $FILE && chgrp "Domain Users" $FILE
seems to work.)

I'm about to recompile everything so I can step through it.

Regards,
Andrew Dalgleish


--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

Re: getfacl/setfacl problem

[Corinna Vinschen]

This is W2K, isn't it? It's very likely that you got a problem with that
damned inheritence of permissions from directories to child objects.

I have just checked in a patch to Cygwin to always set SE_DACL_PROTECTED
in the security descriptor of an object on every change to the security
descriptor. This is only for Win2K. You should never get this problem on
earlier NTs.

However, it might be that I will get hit for that change by other users
but I'm willing to live with that.

The change is already in the Cygwin CVS repository and will be part
of the next developers snapshot.

Hope, that helps,
Corinna


On Wednesday 20 December 2000 02:52, Andrew Dalgleish wrote:
> I have some permissions screwed up.
>
> I created a directory using the local admin account, and it inherited
> permissions from the local "Users" group.
> I then installed cygwin using a domain account.
> I created a valid /etc/passwd and /etc/group
>
> I used
> chgrp -R "Domain Users" /
> to reset the group and chmod to reset the permissions.
> Everything looks ok:
>
> andrewd@A5-2K:/ $ls -al / | grep var
> drwxr-xr-x   6 cygwin   Domain U        0 Dec 18 14:08 var
>
> The problem is that for some reason the local "Users" group still has
> access, as getfacl shows:
>
> andrewd@A5-2K:/ $getfacl /var
> # file: /var
> # owner: 1228
> # group: 513
> user::rwx
> group::r-x
> group:545:rwx
> mask::r-x
> other::r-x
> default:user::rwx
> default:group::r-x
> default:group:545:rwx
> default:mask::r-x
> default:other::r-x
>
> For some reason I cant get setfacl to remove the "group:545:"
> entries, all I get is
> "setfacl: illegal acl entries"
> even the following doesn't work
> touch foo
> touch bar
> getfacl foo | setfacl -f - bar
>
> (As a work around,
> chgrp "Users" $FILE && chgrp "Domain Users" $FILE
> seems to work.)
>
> I'm about to recompile everything so I can step through it.
>
> Regards,
> Andrew Dalgleish
>
>
> --
> Want to unsubscribe from this list?
> Check out: http://cygwin.com/ml/#unsubscribe-simple

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple