From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22908 invoked by alias); 23 Nov 2015 13:20:13 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 22875 invoked by uid 89); 23 Nov 2015 13:20:13 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=4.0 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: smtp.ht-systems.ru Received: from smtp.ht-systems.ru (HELO smtp.ht-systems.ru) (78.110.50.177) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Mon, 23 Nov 2015 13:20:10 +0000 Received: from [95.165.144.62] (helo=darkdragon.lan) by smtp.ht-systems.ru with esmtpa (Exim 4.80.1) (envelope-from ) (Authenticated sender: postmaster@rootdir.org) id 1a0r2I-0007le-6P ; Mon, 23 Nov 2015 16:20:02 +0300 Received: from [192.168.1.10] (HELO daemon2.darkdragon.lan) by daemon2 (Office Mail Server 0.8.12 build 08053101) with SMTP; Mon, 23 Nov 2015 13:17:06 -0000 Date: Mon, 23 Nov 2015 13:20:00 -0000 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <1683156931.20151123161706@yandex.ru> To: "Matt D." , cygwin@cygwin.com Subject: Re: No support for ACLs on network shares? In-Reply-To: <56530687.3090905@codespunk.com> References: <5652E58A.2030605@codespunk.com> <89802969.20151123140802@yandex.ru> <56530687.3090905@codespunk.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2015-11/txt/msg00349.txt.bz2 Greetings, Matt D.! Please don't top-post. Thank you. > On 11/23/2015 3:08 AM, Andrey Repin wrote: >> Greetings, Matt D.! >> >>> I noticed today that when accessing a network share, the permissions for >>> the current user are not resolving. >> >>> For example, I'm connected to a network share //server/share which is a >>> CentOS share with a unix login/password. The share is already logged in >>> by Windows and on the keychain so I don't have to enter the login >>> information. >> >>> In Cygwin, 'cd //server/share' then 'ls -l' I get this: >> >>> drwxrwx--- 1 Unknown+User Unix_Group+1001 0 Nov 23 2015 test >> >> This looks like a share on a Linux(samba) server with no UID mapping active. >> >>> I'm already logged in through windows as the 'Unknown+User' but Cygwin >>> does not recognize that I have access to any of the ACLs for the owner >>> or groups and also does not resolve the SID name. >> >> This is really not Cygwin's fault. Windows does all the resolution here, >> Cygwin only relay that information to you. >> >>> The problem with this is that files created or modified are only done so >>> in the 'Everyone' permission and inherited permissions such as the >>> execute bit are not recognized. >> >>> My use-case is where I've mapped a network path to either a network >>> drive or a symlinked folder (with Windows mklink) with the path on the >>> environment's PATH. In this case, files which are executable are not >>> recognized and do not appear when calling 'which'. >> >>> It seems as though Cygwin only maps ACLs to the SIDs stored in passwd >>> and group and cannot handle ACLs when accessing network devices where >>> SIDs are not present in these files. Running passwd/mkgroup after the >>> share is on the keychain does not provide additional SIDs. >> >>> Is there no support for ACLs across network shares at all? >> >> There is. But in cases such as this, when two hosts are not parts of the same >> domain, you are bound to get weird behavior in the strict security context. >> You may try defer default ACL resolutions to Windows. >> Edit your /etc/fstab, add the 'noacl' flag to a 'cygdrive' mount. > My samba server is configured to use winbind and when inspecting the > file using explorer properties, the SIDs resolve correctly as: > "NAME (HOSTNAME\username)" > where "NAME" is my name on the unix account and "username" is my login. > The problem is that Cygwin isn't aware of this SID since it's the user I > log in as to the remove server and isn't a local SID. > Using noacl is a valid workaround but I would prefer an ACL-supported > solution if possible. You are misunderstanding the meaning of "noacl" flag. It doesn't mean that "ACL's are not supported", it means exactly what I wrote - Cygwin will defer all control to the underlying OS. -- With best regards, Andrey Repin Monday, November 23, 2015 16:15:35 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple