From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10186 invoked by alias); 12 Aug 2014 12:55:20 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 10159 invoked by uid 89); 12 Aug 2014 12:55:17 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 12 Aug 2014 12:55:15 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 327A68E0773; Tue, 12 Aug 2014 14:55:13 +0200 (CEST) Date: Tue, 12 Aug 2014 12:55:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: Security Settings for directories created in Cygwin (+ executable bit on files) Message-ID: <20140812125513.GE21106@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <86wqajxtm9.fsf@somewhere.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ylS2wUBXLOxYXZFQ" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-SW-Source: 2014-08/txt/msg00228.txt.bz2 --ylS2wUBXLOxYXZFQ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2340 On Aug 12 10:51, Kurt Franke wrote: > Sebastien Vauban writes: > > [...] > > Asking Cygwin to stop playing with the Windows ACL, by mounting my > > personal directories as "noacl"? Well, that means I won't be able to > > use `chmod' anymore, for setting a script file as "executable", then. > > And I'll have to use a Windows tool to do so, such as `cacls'. > ... >=20 > Hello, >=20 > there is a possibility to get bettter permission settings on files created > by a windows program inside a directory created by cygwin. > you must create special ACE's on this directory like in the following > example with german names used in one of my scripts: >=20 > icacls "$dir" /remove ERSTELLER-BESITZER > icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)' > icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)' That's "CREATOR OWNER" in english systems. > icacls "$dir" /remove ERSTELLERGRUPPE > icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)' > icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)' > icacls "$dir" /remove Jeder > icacls "$dir" /grant 'Jeder:(RX)' > icacls "$dir" /grant 'Jeder:(OI)(IO)(R)' > icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)' "CREATOR GROUP" > It creates different Default ACE's for files an directories and these will > be inherited correctly when using non-cygwin-windows programs. For > dirctories the execute permission is inherited b ut for files it is not > inherited. > [...] > To have those DEFAULT ACE's of general use for integration of cygwin and > windows without always executing a script after creating a new directory = in > cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in > cygwin directory creation also, not onle the simple ones. > A drawback for this may be the fact the gefacl/setfacl utilities does not > understand those ACE's and thus don't show / don't set it. It complicates handling of default permissions in the acl system calls a lot. You'd have to handle two CREATOR OWNER ACEs as a single "default:user" entry. Same for "CREATOR GROUP". I'm not saying this is impossible to implement, just that it's a good amount of work. http://cygwin.com/acronyms/#PGA Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --ylS2wUBXLOxYXZFQ Content-Type: application/pgp-signature Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJT6g6xAAoJEPU2Bp2uRE+gtHsQAIP1i3Cgl7xAUGBqYzqQQGj8 AASNNSxAndykswp4e6UqIrQzCME/lROR/tqpENog7dCxNsSaYSlj4DiKrNoIM5m0 ENkhcplzqEp6aiFpqZYy+P7N60gc9aUfiJOvKjBMOcIKiHKoiCk15PllbUZqVfMG ESZPnbIv+DEaDL3xANbqawU/C76zxXHamJOhKBcc74l7cRTKT2qj2w/UmIlRc9jx 332mj/f3s9xsoADH65WDTYJJMFdPKkioeyl98KDjwqdO6wjq0NZ/X9eyVn9qsiE7 UASGzEwbPjrEja13lTYXIsFkVmBeDYylQk1X8IudYsXCDXWpcyRyinT2aY8puvzA GcvciuXmLVrtOiW0PaH/sV9B0mq6zdpSmvK7P8ij9ORwu7/zDmnloFMx+0+TTT78 2hgpdGlimh7ejWVnEKN1jJ0V5JdRTmPFU/K/TN5gB7ifWkJ20jvWwJe3WVFEdPZi US2QvSiMtI9WMQXFlJStnQKKA7cR5wTLsgKiSmw5HcCzj2GRZEWpsaqEJCAFdchf v90tkkDcJQKs9lRTJR/EC0Uo+L77+voF79q/q0Ds8tcWr6M5p+UtEUh3cMtdV+VS DUWBxfToqcOBl3jYS/rupGh5LdcxX4sex8i6ZyLbZN2f/Rfk/tyZFGTXlgDtTLfC 7iU8DMRp0xpFEFYqbzSo =vlVt -----END PGP SIGNATURE----- --ylS2wUBXLOxYXZFQ--