Security Settings for directories created in Cygwin (+ executable bit on files)

Security Settings for directories created in Cygwin (+ executable bit on files)

[Sebastien Vauban]

Hello,

Currently, whenever I create new files from Windows 8 executables (such
as Notepad), they're often flagged as "executable", even for text files!

I've noticed that such a behavior happens when I create a new file in
a directory that has been made FROM CYGWIN (`mkdir ~/test/', for
example).

Indeed, the permissions of CYGWIN-CREATED DIRECTORIES seem very weird:

- "Inherited from"... "None"!

- "All Users" having "Read & Execute" permission on "this folder,
  subfolders and FILES"...

IIUC, when creating a new file from Cygwin, the `umask' (022, in my
case) is respected and new files are not executables then, except if
I require it explicitly (via `chmod').

Though, when creating a new file from a Windows executable, Windows
inherits permissions from the folder where my file gets created --
hence, an executable permission if the directory was created from
Cygwin...

How to correct that?

Asking Cygwin to stop playing with the Windows ACL, by mounting my
personal directories as "noacl"?  Well, that means I won't be able to
use `chmod' anymore, for setting a script file as "executable", then.
And I'll have to use a Windows tool to do so, such as `cacls'.

Is it really so, the integration of Cygwin permissions within Windows?
Or do I miss something?

Best regards,
  Seb

-- 
Sebastien Vauban


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Security Settings for directories created in Cygwin (+ executable bit on files)

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2494 bytes --]

On Aug  8 10:39, Sebastien Vauban wrote:
> Hello,
> 
> Currently, whenever I create new files from Windows 8 executables (such
> as Notepad), they're often flagged as "executable", even for text files!

Perfectly normal.  This is Windows default behaviour for applications
which don't care for permissions.  Like Notepad for instance.

> I've noticed that such a behavior happens when I create a new file in
> a directory that has been made FROM CYGWIN (`mkdir ~/test/', for
> example).
> 
> Indeed, the permissions of CYGWIN-CREATED DIRECTORIES seem very weird:
> 
> - "Inherited from"... "None"!

Perfectly valid.  This has been discussed already years ago.  It's the
Windows(!) default primary group for users on a standalone machine (not
domain member machine).  It's the local group with RID 513, called "None"
on english language systems.

> - "All Users" having "Read & Execute" permission on "this folder,
>   subfolders and FILES"...

Correct.  Compare with Linux.

> IIUC, when creating a new file from Cygwin, the `umask' (022, in my
> case) is respected and new files are not executables then, except if
> I require it explicitly (via `chmod').

Right, because Cygwin follows the POSIX permission model, unless
you use the noacl mount flag.

> Though, when creating a new file from a Windows executable, Windows
> inherits permissions from the folder where my file gets created --
> hence, an executable permission if the directory was created from
> Cygwin...
> 
> How to correct that?

You can't without lots of fiddeling.  Windows executables use Windows
permissions and typically inherit the permissions from the parent
folder.  The best way to workaround this is by using a Cygwin
executable to generate the files, vim or emacs instead of notepad.

> Asking Cygwin to stop playing with the Windows ACL, by mounting my
> personal directories as "noacl"?  Well, that means I won't be able to
> use `chmod' anymore, for setting a script file as "executable", then.
> And I'll have to use a Windows tool to do so, such as `cacls'.
> 
> Is it really so, the integration of Cygwin permissions within Windows?
> Or do I miss something?

You're just missing that the integration is one-way.  Non-Cygwin Windows
executables give a damn for Cygwin settings.  Sorry :}


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Security Settings for directories created in Cygwin (+ executable bit on files)

[Andrey Repin]

Greetings, Corinna Vinschen!

>> I've noticed that such a behavior happens when I create a new file in
>> a directory that has been made FROM CYGWIN (`mkdir ~/test/', for
>> example).
>> 
>> Indeed, the permissions of CYGWIN-CREATED DIRECTORIES seem very weird:
>> 
>> - "Inherited from"... "None"!

> Perfectly valid.  This has been discussed already years ago.  It's the
> Windows(!) default primary group for users on a standalone machine (not
> domain member machine).  It's the local group with RID 513, called "None"
> on english language systems.

He man that directory security settings are not inherited, when files are
created by Cygwin. Which is explained by a POSIX-adherent behavior of Cygwin.

@Sebastien, if you want Windows behavior (i.e. defer ACL management to OS),
change cygdrive mount flags to noacl.

>> Asking Cygwin to stop playing with the Windows ACL, by mounting my
>> personal directories as "noacl"?  Well, that means I won't be able to
>> use `chmod' anymore,

I don't see a reason to use chmod under Windows at all.

>> for setting a script file as "executable", then.

There's no need. Cygwin automatically detect executables from file contents.

>> And I'll have to use a Windows tool to do so, such as `cacls'.
>> 
>> Is it really so, the integration of Cygwin permissions within Windows?
>> Or do I miss something?

> You're just missing that the integration is one-way.  Non-Cygwin Windows
> executables give a damn for Cygwin settings.  Sorry :}

Also this.


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 08.08.2014, <18:37>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Security Settings for directories created in Cygwin (+ executable bit on files)

[Kurt Franke]

Sebastien Vauban <sva-news@...> writes:

> Currently, whenever I create new files from Windows 8 executables (such
> as Notepad), they're often flagged as "executable", even for text files!
> 
> I've noticed that such a behavior happens when I create a new file in
> a directory that has been made FROM CYGWIN (`mkdir ~/test/', for
> example).
> 
> Indeed, the permissions of CYGWIN-CREATED DIRECTORIES seem very weird:
> 
> - "Inherited from"... "None"!
> 
> - "All Users" having "Read & Execute" permission on "this folder,
>   subfolders and FILES"...
> 
> IIUC, when creating a new file from Cygwin, the `umask' (022, in my
> case) is respected and new files are not executables then, except if
> I require it explicitly (via `chmod').
> 
> Though, when creating a new file from a Windows executable, Windows
> inherits permissions from the folder where my file gets created --
> hence, an executable permission if the directory was created from
> Cygwin...
> 
> How to correct that?
> 
> Asking Cygwin to stop playing with the Windows ACL, by mounting my
> personal directories as "noacl"?  Well, that means I won't be able to
> use `chmod' anymore, for setting a script file as "executable", then.
> And I'll have to use a Windows tool to do so, such as `cacls'.
...

Hello,

there is a possibility to get bettter permission settings on files created
by a windows program inside a directory created by cygwin.
you must create special ACE's on this directory like in the following
example with german names used in one of my scripts:

icacls "$dir" /remove ERSTELLER-BESITZER
icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)'
icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)'
icacls "$dir" /remove ERSTELLERGRUPPE
icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)'
icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)'
icacls "$dir" /remove Jeder
icacls "$dir" /grant 'Jeder:(RX)'
icacls "$dir" /grant 'Jeder:(OI)(IO)(R)'
icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)'

It creates different Default ACE's for files an directories and these will
be inherited correctly when using non-cygwin-windows programs. For
dirctories the execute permission is inherited b ut for files it is not
inherited.

In cygwin-programs the umask is used and executable flags are not requested
for files which are not executables where the compiler wil do this.

All works correctly in both windows-only programs and cygwin programs unless
creating a subdirectory by cygwin - this will not inherit those special
default ACE's to apply only to directories or only to files and thus this
behaviour is lost in a subdirectory created via cygwin.

On the other hand, in cygwin directory creation simple default ACE's which
are to be applied on all directories and files are inhereted to subdirectories.

Thus personally I use those special ACE's on directories only in the SVN
(windows program) tree created by checkout to avoid execute permissions on
files. when creating a new directory there which is generally done via
cygwin I add the listed ACE's via script.

To have those DEFAULT ACE's of general use for integration of cygwin and
windows without always executing a script after creating a new directory in
cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in
cygwin directory creation also, not onle the simple ones.
A drawback for this may be the fact the gefacl/setfacl utilities does not
understand those ACE's and thus  don't show / don't set  it.


regards

kf











--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Security Settings for directories created in Cygwin (+ executable bit on files)

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2388 bytes --]

On Aug 12 10:51, Kurt Franke wrote:
> Sebastien Vauban <sva-news@...> writes:
> > [...]
> > Asking Cygwin to stop playing with the Windows ACL, by mounting my
> > personal directories as "noacl"?  Well, that means I won't be able to
> > use `chmod' anymore, for setting a script file as "executable", then.
> > And I'll have to use a Windows tool to do so, such as `cacls'.
> ...
> 
> Hello,
> 
> there is a possibility to get bettter permission settings on files created
> by a windows program inside a directory created by cygwin.
> you must create special ACE's on this directory like in the following
> example with german names used in one of my scripts:
> 
> icacls "$dir" /remove ERSTELLER-BESITZER
> icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)'
> icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)'

That's "CREATOR OWNER" in english systems.

> icacls "$dir" /remove ERSTELLERGRUPPE
> icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)'
> icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)'
> icacls "$dir" /remove Jeder
> icacls "$dir" /grant 'Jeder:(RX)'
> icacls "$dir" /grant 'Jeder:(OI)(IO)(R)'
> icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)'

"CREATOR GROUP"

> It creates different Default ACE's for files an directories and these will
> be inherited correctly when using non-cygwin-windows programs. For
> dirctories the execute permission is inherited b ut for files it is not
> inherited.
> [...]
> To have those DEFAULT ACE's of general use for integration of cygwin and
> windows without always executing a script after creating a new directory in
> cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in
> cygwin directory creation also, not onle the simple ones.
> A drawback for this may be the fact the gefacl/setfacl utilities does not
> understand those ACE's and thus  don't show / don't set  it.

It complicates handling of default permissions in the acl system
calls a lot.  You'd have to handle two CREATOR OWNER ACEs as a single
"default:user" entry.  Same for "CREATOR GROUP".  I'm not saying this is
impossible to implement, just that it's a good amount of work.

http://cygwin.com/acronyms/#PGA


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]