From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <anrdaemon@yandex.ru>
Received: from forward106o.mail.yandex.net (forward106o.mail.yandex.net
 [IPv6:2a02:6b8:0:1a2d::609])
 by sourceware.org (Postfix) with ESMTPS id 1F9303851C26
 for <cygwin@cygwin.com>; Sun, 25 Oct 2020 09:20:04 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 1F9303851C26
Received: from mxback7j.mail.yandex.net (mxback7j.mail.yandex.net
 [IPv6:2a02:6b8:0:1619::110])
 by forward106o.mail.yandex.net (Yandex) with ESMTP id 34EAE5061210;
 Sun, 25 Oct 2020 12:20:02 +0300 (MSK)
Received: from iva1-bc1861525829.qloud-c.yandex.net
 (iva1-bc1861525829.qloud-c.yandex.net [2a02:6b8:c0c:a0e:0:640:bc18:6152])
 by mxback7j.mail.yandex.net (mxback/Yandex) with ESMTP id woC4ZRYRND-K2jScIGL; 
 Sun, 25 Oct 2020 12:20:02 +0300
Received: by iva1-bc1861525829.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA
 id xUywWECsJk-K1mu0HeG; Sun, 25 Oct 2020 12:20:01 +0300
 (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
 (Client certificate not present)
Received: from [192.168.1.10] (HELO daemon2.darkdragon.lan)
 by daemon2 (Office Mail Server 0.8.12 build 08053101) with SMTP;
 Sun, 25 Oct 2020 09:19:40 -0000
Date: Sun, 25 Oct 2020 12:19:40 +0300
From: Andrey Repin <anrdaemon@yandex.ru>
X-Mailer: The Bat! (v6.8.8) Home
Reply-To: cygwin@cygwin.com
X-Priority: 3 (Normal)
Message-ID: <1689204445.20201025121940@yandex.ru>
To: Jim McNamara <nefariousscheme@gmail.com>, cygwin@cygwin.com
Subject: Re: Fwd: Objects in ACL cygwin win 10
In-Reply-To: <CAEMWCRtTYxhdFdPh9aQqrPU+o-4OoBzc_E6=gVOtYKK-OhkaRQ@mail.gmail.com>
References: <CAEMWCRsuDarNBBTOeB29fibz=Jt6zAg-brv_aejEQc7rOSeS2Q@mail.gmail.com> 
 <3f0e071c-66c7-b6e8-f907-40a333872d07@SystematicSw.ab.ca>
 <CAEMWCRv-MeG88TbivmVFjFL10VpiQqWt7nq5zJ5KfQGho_puyg@mail.gmail.com>
 <9c03f3ea-8989-5f93-41c4-4d832eaef94c@cs.umass.edu>
 <CAEMWCRvrVGvfX_3yP7XF6SmNtFXd9UwQVahq1bRL1tazBbCibg@mail.gmail.com>
 <CAEMWCRvNZkheRisrzx9v_fS3dphE0TzjMvFULYfWxD-RVGBwfw@mail.gmail.com>
 <83773bf8-4ec6-d2ed-b2ba-37e64cc7dcc0@SystematicSw.ab.ca>
 <CAEMWCRtTYxhdFdPh9aQqrPU+o-4OoBzc_E6=gVOtYKK-OhkaRQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, KAM_NUMSUBJECT,
 KAM_THEBAT, NICE_REPLY_A, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
X-List-Received-Date: Sun, 25 Oct 2020 09:20:06 -0000

Greetings, Jim McNamara!

Please no top-posting in this list.


>> On 2020-10-23 21:49, Jim McNamara via Cygwin wrote:
>> > On Fri, Oct 23, 2020, 10:06 PM Eliot Moss wrote:
>>
>> >> I have to admit I am not 100% sure what you are asking, but I am careful
>> >> to grant SYSTEM access so
>> >> that my backup program can access and save a copy of virtually
>> everything
>>
>> > Thanks for you and Brian helping me.
>> > I used icacls cygwin /q /c /t reset
>>
>> You have to be very careful using icacls and other Windows commands with
>> Cygwin
>> ACLs as
>>
>> "ICACLS preserves the canonical ordering of ACE entries:
>>         Explicit denials
>>         Explicit grants
>>         Inherited denials
>>         Inherited grants"
>>
>> and Cygwin's POSIX ACLs may or may not obey this canonical order; Windows
>> File
>> Explorer often does not consider Cygwin ACLs in what it considers canonical
>> order and requires them to be reordered, which breaks the Cygwin
>> permissions.
>>
>> Ah, that "NT AUTHORITY/SYSTEM" SID, normally paired with
>> BUILTIN/Administrators,
>> as users, groups, or both:
>>
>> $ ls -dl /proc/cygdrive/c/Users/; echo; getfacl /proc/cygdrive/c/Users/;
>> echo;
>> icacls C:/Users/
>> drwxr-xr-x+ 1 SYSTEM SYSTEM 0 Apr 13  2020 /proc/cygdrive/c/Users/
>>
>> # file: /proc/cygdrive/c/Users/
>> # owner: SYSTEM
>> # group: SYSTEM
>> user::rwx
>> group::r-x
>> group:Administrators:rwx        #effective:r-x
>> group:Users:r-x
>> mask::r-x
>> other::r-x
>> default:user::rwx
>> default:group::---
>> default:group:Administrators:rwx        #effective:r-x
>> default:group:Users:r-x
>> default:mask::r-x
>> default:other::r-x
>>
>> C:/Users/ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
>>           BUILTIN\Administrators:(OI)(CI)(F)
>>           BUILTIN\Users:(RX)
>>           BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
>>           Everyone:(RX)
>>           Everyone:(OI)(CI)(IO)(GR,GE)
>>
>> Successfully processed 1 files; Failed processing 0 files
>>

> Yes, I see now what you are saying. Didn't know why it behaves like that.
> Do you reccomend:

> A. Noacl option  in fstab
> B. Reinstall and leave icacls in windows alone so I can deploy in future
> with runtime

C. Reinstall Cygwin into a new directory (or backup the current one and
reinstall). Use noacl option for directories outside Cygwin tree (i.e.
/cygdrive).


-- 
With best regards,
Andrey Repin
Sunday, October 25, 2020 12:07:33

Sorry for my terrible english...