setfacl can kill a drive

setfacl can kill a drive

[Steven Penny]

I upgraded to the new Cygwin today, why is this command producing different
permissions? Moreover how do I get it to produce sane results?

    $ cd /cygdrive/c

    $ touch ~/alpha.txt ~+/alpha.txt

    $ ls -l ~/alpha.txt ~+/alpha.txt
    -rw-rwxr--+ 1 Steven None 0 Apr  8 05:06 /cygdrive/c/alpha.txt
    -rw-r--r--  1 Steven None 0 Apr  8 05:06 /home/Steven/alpha.txt

Also I discovered this

    $ setfacl -b /cygdrive/c

After that you get this

    C:\ is not accessible.
    Access is denied.

Luckily this was in a virtual machine. Otherwise, can this be undone? This is
very dangerous, and I feel it should be protected similarly to
"rm --no-preserve-root"

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl can kill a drive

[David Macek]

[-- Attachment #1: Type: text/plain, Size: 903 bytes --]

On 8. 4. 2015 12:17, Steven Penny wrote:
> Also I discovered this
> 
>     $ setfacl -b /cygdrive/c
> 
> After that you get this
> 
>     C:\ is not accessible.
>     Access is denied.
> 
> Luckily this was in a virtual machine. Otherwise, can this be undone? This is
> very dangerous, and I feel it should be protected similarly to
> "rm --no-preserve-root"

The root of the C drive should be easy to fix, as most of the directories there don't inherit its permissions. You should be able to use Windows Explorer to fix the permissions, but maybe takeown and icacls will be more precise tools for this task. This is the ACL for my C root:

C:\> icacls .
. NT AUTHORITY\SYSTEM:(OI)(CI)(F)
  BUILTIN\Administrators:(OI)(CI)(F)
  NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
  BUILTIN\Users:(OI)(CI)(RX)
  Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

-- 
David Macek


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4234 bytes --]

Re: setfacl can kill a drive

[Steven Penny]

On Wed, Apr 8, 2015 at 5:17 AM, Steven Penny wrote:
> I upgraded to the new Cygwin today, why is this command producing different
> permissions? Moreover how do I get it to produce sane results?

I was able to use these command to produce sane results

    $ cd /cygdrive/c

    $ touch bad.txt

    $ setfacl -k .

    $ touch good.txt

    $ ls -l *.txt
    -rw-rwxr--+ 1 John None 0 Apr  8 02:16 bad.txt
    -rw-r--r--  1 John None 0 Apr  8 02:16 good.txt

I feel that the default permissions are wrong here. On linux when you create a
new file with touch, it does not have executable permissions, for good reason.
This would be a security issue.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl can kill a drive

[Andrey Repin]

Greetings, Steven Penny!

>> I upgraded to the new Cygwin today, why is this command producing different
>> permissions? Moreover how do I get it to produce sane results?

> I was able to use these command to produce sane results

>     $ cd /cygdrive/c

>     $ touch bad.txt

>     $ setfacl -k .

>     $ touch good.txt

>     $ ls -l *.txt
>     -rw-rwxr--+ 1 John None 0 Apr  8 02:16 bad.txt
>     -rw-r--r--  1 John None 0 Apr  8 02:16 good.txt

> I feel that the default permissions are wrong here. On linux when you create a
> new file with touch, it does not have executable permissions, for good reason.
> This would be a security issue.

Cygwin is not Linux.
And C:\ drive is not a part of Cygwin.
If you really want to destroy your Windows installation, there's easier ways
than meddling with setfacl on the root drive.


-- 
With best regards,
Andrey Repin
Thursday, April 9, 2015 00:45:45

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl can kill a drive

[Steven Penny]

On Wed, Apr 8, 2015 at 4:46 PM, Andrey Repin wrote:
> Cygwin is not Linux.
> And C:\ drive is not a part of Cygwin.
> If you really want to destroy your Windows installation, there's easier ways
> than meddling with setfacl on the root drive.

Thanks for the reply. However, did you have anything constructive to add?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl can kill a drive

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1636 bytes --]

On Apr  8 16:40, Steven Penny wrote:
> On Wed, Apr 8, 2015 at 5:17 AM, Steven Penny wrote:
> > I upgraded to the new Cygwin today, why is this command producing different
> > permissions? Moreover how do I get it to produce sane results?
> 
> I was able to use these command to produce sane results
> 
>     $ cd /cygdrive/c
> 
>     $ touch bad.txt
> 
>     $ setfacl -k .
> 
>     $ touch good.txt
> 
>     $ ls -l *.txt
>     -rw-rwxr--+ 1 John None 0 Apr  8 02:16 bad.txt
>     -rw-r--r--  1 John None 0 Apr  8 02:16 good.txt
> 
> I feel that the default permissions are wrong here. On linux when you
> create a new file with touch, it does not have executable permissions,

It's a result of ACL inheritance and before the changes to Cygwin's
ACL handling, you wouldn't even have seen it.

> for good reason.  This would be a security issue.

No, it's how ACL inheritence works on Windows, combined with the way the
group permissions reflect the ACL mask value per POSIX 1003.1e draft 17.
See, e.g, http://linux.die.net/man/5/acl, "Correspondence Between Acl
Entries And File Permission Bits".  Note that the group permission bits
are reflecting all additional permissions added to the file by Windows
ACL inheritance.  So it's actually a great help identifying security
issues.

The real issue here is, of course, the fact that the mask value is not
umask'ed at file creation time.  This is WIP I'm actually working on
right now.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: setfacl can kill a drive

[Steven Penny]

On Thu, Apr 9, 2015 at 2:43 AM, Corinna Vinschen wrote:
> It's a result of ACL inheritance and before the changes to Cygwin's
> ACL handling, you wouldn't even have seen it.

If someone runs a dangerous command such as

    setfacl --remove-all /cygdrive/c

Or

    setfacl --remove-default /cygdrive/c

Can this damage be undone without reinstalling Windows?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl can kill a drive

[Bryan Berns]

On Thu, Apr 9, 2015 at 8:20 PM, Steven Penny <svnpenn@gmail.com> wrote:
>
> Can this damage be undone without reinstalling Windows?

Yes, probably.   If you have similar machine and are using mostly
built-in accounts, you can probably use icacls /save AclFile to
"record" the standard drive permissions and them apply it to the
problem drive using icacls /restore.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl can kill a drive

[Steven Penny]

On Thu, Apr 9, 2015 at 7:57 PM, Bryan Berns wrote:
> you can probably use icacls /save AclFile to "record" the standard drive
> permissions and them apply it to the problem drive using icacls /restore.

I am not sure this is the answer. Even ignoring setfacl, I was unable to restore
acl on the root. Note again this is on a pristine virtual machine, I tried "C:"
first:

    > icacls C: /save C:\acl.txt
    processed file: C:
    Successfully processed 1 files; Failed processing 0 files

    > icacls C: /restore C:\acl.txt
    C:D:(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
    (A;OICIID;FA;;;S-1-5-21-2140265281-1110791277-259586168-1000):
    The system cannot find the file specified.
    Successfully processed 0 files; Failed processing 1 files

Then "C:\"

    > icacls C:\ /save C:\acl.txt
    processed file: C:\
    Successfully processed 1 files; Failed processing 0 files

    > icacls C:\ /restore C:\acl.txt
    C:\D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)
    (A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:
    (ML;OINPIO;NW;;;HI):
    The filename, directory name, or volume label syntax is incorrect.
    Successfully processed 0 files; Failed processing 1 files

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl can kill a drive

[Steven Penny]

On Thu, Apr 9, 2015 at 10:05 PM, Steven Penny wrote:
> Even ignoring setfacl, I was unable to restore acl on the root.

After reading this page
http://support.microsoft.com/kb/237701

It appears I was able to use icacls on root with this syntax

    $ icacls 'C:\.' /save 'C:\acl.txt'
    processed file: C:\.
    Successfully processed 1 files; Failed processing 0 files

    $ icacls 'C:\.' /restore 'C:\acl.txt'
    processed file: C:\.\.
    Successfully processed 1 files; Failed processing 0 files

However after introducing setfacl it fails

    $ setfacl --remove-all /cygdrive/c

    $ icacls 'C:\.' /restore 'C:\acl.txt'
    C:\.\.: Access is denied.
    Successfully processed 0 files; Failed processing 1 files

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl can kill a drive

[Steven Penny]

On Thu, Apr 9, 2015 at 10:38 PM, Steven Penny wrote:
>     $ icacls 'C:\.' /restore 'C:\acl.txt'
>     C:\.\.: Access is denied.

I believe the following commands will fix it. After setfacl trashes the
permissions, you need to temporarily take ownership of "C:\", restore the
permissions then set the owner back. Of course this is contingent on either
having backed up the permissions beforehand, or perhaps transferring them from
a clean virtual machine.

    icacls 'C:\.' /save 'C:\acl.txt'
    setfacl --remove-all /cygdrive/c
    takeown /f 'C:\.'
    icacls 'C:\.' /grant users:f
    icacls 'C:\acl.txt' /grant users:f
    icacls 'C:\.' /restore 'C:\acl.txt'
    icacls 'C:\.' /setowner 'NT SERVICE\TrustedInstaller'

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple