after update to cygwin 1.7.35(0.287/5/3) all file permissions in cygwin are 070

after update to cygwin 1.7.35(0.287/5/3) all file permissions in cygwin are 070

[schilpfamily]

i have been using cygwin for many years and currently most of my
systems are at 1.7.32(0.274/5/3).
i had to get an update to cygwin/X which forced me to also update
cygwin. with the update, nearly all windows files have the permission
setting of 070 (---rwx---) even when the file is owned by me, and as a
consequence most applications fail to load or cannot load dll's or
other really annoying issues.

is there some "magical" new setting to make cygwin recognize that
files owned by me are at least r/w?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: after update to cygwin 1.7.35(0.287/5/3) all file permissions in cygwin are 070

[Rexdf]

> i have been using cygwin for many years and currently most of my
> systems are at 1.7.32(0.274/5/3).
> i had to get an update to cygwin/X which forced me to also update
> cygwin. with the update, nearly all windows files have the permission
> setting of 070 (---rwx---) even when the file is owned by me, and as a
> consequence most applications fail to load or cannot load dll's or
> other really annoying issues.
>
> is there some "magical" new setting to make cygwin recognize that
> files owned by me are at least r/w?
>

I don't know what is your situation, but i can give some suggestion.

AFAIK, 1.7.34+ seems to use the real Windows ACL ( at least partly).
It means that the 700 file really cannot access by other Windows
accounts.

First of all, try the follwoing code from mintty. Then restart X.
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group

If it is still 0700 and you right click Properties/Security from
windows explorer.exe to make sure your real Windows ACL permission is
true wrong. Then the following command may be helpful.

Start cmd.exe  as Administrators.
cd to folder contain cygwin folder.
Run following:

takeown /F cygwin /R
icacls cygwin /T /grant your_account_name:F

your_account_name can be get from your default cmd.exe(Run as normal
user) or maybe your cygwin mintty.exe  your_account_name@your_PC_NAME
or your C:\Users\ your_account_name.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: after update to cygwin 1.7.35(0.287/5/3) all file permissions in cygwin are 070

[Tim Magee]

Hi,

You may have misread the original question (and its subject): the POSIX 
permissions are 070, not (0)700.  These files are accessible to one or 
more of the groups the owner is a member of, but not to the owner.

+1 for the ICACLS workaround though.  I was bit by this recently when 
setting up openssh, which cares about locking down access to keys.  I 
needed to get rid of those group access bits, but chmod left them 
unchanged.   I used ICACLS to remove ACEs for 'NT AUTHORITY\SYSTEM', 
which (based on experimenting) were affecting the 'group' triplet of the 
POSIX permissions.

Cheers,
Tim


On 20/03/15 13:15, Rexdf wrote:
>> i have been using cygwin for many years and currently most of my
>> systems are at 1.7.32(0.274/5/3).
>> i had to get an update to cygwin/X which forced me to also update
>> cygwin. with the update, nearly all windows files have the permission
>> setting of 070 (---rwx---) even when the file is owned by me, and as a
>> consequence most applications fail to load or cannot load dll's or
>> other really annoying issues.
>>
>> is there some "magical" new setting to make cygwin recognize that
>> files owned by me are at least r/w?
>>
>
> I don't know what is your situation, but i can give some suggestion.
>
> AFAIK, 1.7.34+ seems to use the real Windows ACL ( at least partly).
> It means that the 700 file really cannot access by other Windows
> accounts.
>
> First of all, try the follwoing code from mintty. Then restart X.
> mkpasswd -l > /etc/passwd
> mkgroup -l > /etc/group
>
> If it is still 0700 and you right click Properties/Security from
> windows explorer.exe to make sure your real Windows ACL permission is
> true wrong. Then the following command may be helpful.
>
> Start cmd.exe  as Administrators.
> cd to folder contain cygwin folder.
> Run following:
>
> takeown /F cygwin /R
> icacls cygwin /T /grant your_account_name:F
>
> your_account_name can be get from your default cmd.exe(Run as normal
> user) or maybe your cygwin mintty.exe  your_account_name@your_PC_NAME
> or your C:\Users\ your_account_name.
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: after update to cygwin 1.7.35(0.287/5/3) all file permissions in cygwin are 070

[Rexdf]

>
> You may have misread the original question (and its subject): the POSIX
> permissions are 070, not (0)700.  These files are accessible to one or more
> of the groups the owner is a member of, but not to the owner.
>

I know clear about 070 and 700 and 0700. It is typos. That is why I
ask you to run icacls.

> +1 for the ICACLS workaround though.  I was bit by this recently when
> setting up openssh, which cares about locking down access to keys.  I needed
> to get rid of those group access bits, but chmod left them unchanged.   I
> used ICACLS to remove ACEs for 'NT AUTHORITY\SYSTEM', which (based on
> experimenting) were affecting the 'group' triplet of the POSIX permissions.
>

Run mintty.exe as Administrators. You can set permission  by chmod
setfacl https://cygwin.com/cygwin-ug-net/using-utils.html#setfacl too.

If you try to remove some old account(like reinstall a new windows),
you can try SubInACL
http://www.microsoft.com/en-us/download/details.aspx?id=23510 to deal
with SSID (something like
S-1-5-21-56246481-4602087933-3644394174-1001)

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: after update to cygwin 1.7.35(0.287/5/3) all file permissions in cygwin are 070

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2372 bytes --]

On Mar 20 21:15, Rexdf wrote:
> > i have been using cygwin for many years and currently most of my
> > systems are at 1.7.32(0.274/5/3).
> > i had to get an update to cygwin/X which forced me to also update
> > cygwin. with the update, nearly all windows files have the permission
> > setting of 070 (---rwx---) even when the file is owned by me, and as a
> > consequence most applications fail to load or cannot load dll's or
> > other really annoying issues.
> >
> > is there some "magical" new setting to make cygwin recognize that
> > files owned by me are at least r/w?
> >
> 
> I don't know what is your situation, but i can give some suggestion.
> 
> AFAIK, 1.7.34+ seems to use the real Windows ACL ( at least partly).
> It means that the 700 file really cannot access by other Windows
> accounts.
> 
> First of all, try the follwoing code from mintty. Then restart X.
> mkpasswd -l > /etc/passwd
> mkgroup -l > /etc/group

Why?  The idea of the changes in 1.7.34+ were to allow to get rid of
/etc/passwd and /etc/group.  Remove the files and be done with them,
unless you're in a situation which requires you to make special
settings.

May I suggest to read the User's Guide, especially the new docs
explaining the changes to account handling in
https://cygwin.com/cygwin-ug-net/ntsec.html?

As I wrote multiple times in the last couple of months, if the
documentation is unclear, please ask and let's try to figure out to
improve the documentation.  As I'm the person who hacked this stuff, I
have probably a completely different view on what's important and what
needs explaining.

> If it is still 0700 and you right click Properties/Security from
> windows explorer.exe to make sure your real Windows ACL permission is
> true wrong. Then the following command may be helpful.
> 
> Start cmd.exe  as Administrators.
> cd to folder contain cygwin folder.
> Run following:
> 
> takeown /F cygwin /R
> icacls cygwin /T /grant your_account_name:F

So what about using Cygwin for this?  Start mintty as administrator
and then:

  $ chown <your account>:<your group> filename
  $ chmod 700 filename
  $ setfacl -b filename  # See the User's Guide!


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]