public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: [TESTERS needed] New POSIX permission handling
Date: Fri, 10 Apr 2015 10:07:00 -0000	[thread overview]
Message-ID: <20150410100703.GA4401@calimero.vinschen.de> (raw)

[-- Attachment #1: Type: text/plain, Size: 2734 bytes --]

Hi folks,


I just applied a patch I'm working on for quite some time now.  As I
outlined before on this list, the POSIX permission handling has aged
considerably and, for historical reasons, did things differently
dependent on the calling function.  I took the time to reimplement the
core functionality to handle all ACLs as strictly following POSIX ACL
rules as possible.

Cygwin now generates ACLs in a certain way, always following the same
construction rules.  The new ACLs are always recognizable as Cygwin
ACLs.  The always start with an Access-Denied ACE for the NULL SID with
certain bits set.  Any ACL not starting this way is handled as a
non-Cygwin or "old style" ACL, but still trying to evaluate the ACL as
strictly following POSIX rules as possible.

Two other noticable changes from before:

- To accommodate Windows default ACLs, the new code ignores SYSTEM and
  Administrators group permissions when computing the MASK/CLASS_OBJ
  permission mask on old ACLs, and it doesn't deny access to SYSTEM and
  Administrators group based on the value of MASK/CLASS_OBJ when
  creating the new ACLs.

  That means, even if SYSTEM or Administrators have full access to the
  file, the POSIX permssion bits will not reflect that fact.  And while
  other users get access denied based on the mask value, SYSTEM and
  Administrators will never get access denied based on the mask.

  This should help in Cygwin<->Windows interoperability.

- The new code now handles the S_ISGID bit on directories as on Linux:
  Setting S_ISGID on a directory causes new files and subdirs created
  within to inherit its group, rather than the primary group of the user
  who created the file.

  But note that this only works for files and directories created by
  Cygwin processes.  The group change is not supported automagically by
  Windows, so the process creating the new file has to change the file
  group silenmtly after creating the file.

Apart from bugfixing the aforementioned code, there's still work to do
on the getfacl and setfacl tools:

- The getfacl tool needs an extension in output to print the effective
  permissions on users and groups restricted by the mask value.

- The setfacl tool needs code to compute the new mask value, just as
  on Linux.

I'm looking into that next week.

Please give the new code a try.  I uploaded new 2015-04-10 developer
snapshots to https://cygwin.com/snapshots/

Probably next week I will also create a test release which can be
installed via setup-x86{_64}.exe.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

             reply	other threads:[~2015-04-10 10:07 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-10 10:07 Corinna Vinschen [this message]
2015-04-10 21:13 ` Warren Young
2015-04-11  9:35   ` Corinna Vinschen
2015-04-11  0:00 ` Steven Penny
2015-04-11  9:40   ` Corinna Vinschen
2015-04-11 10:07     ` Corinna Vinschen
2015-04-11 16:26       ` Ernie Rael
2015-04-12  8:22         ` Corinna Vinschen
2015-04-11 10:23     ` Corinna Vinschen
2015-04-11 10:47     ` Steven Penny
2015-04-11 14:30       ` Corinna Vinschen
2015-04-11 16:05       ` Andrey Repin
2015-04-12 17:37         ` Adam Dinwoodie
2015-05-16  2:39   ` Steven Penny
2015-05-17  7:44     ` Duncan Roe
2015-05-19  7:52     ` Jiří Engelthaler
2015-04-11  8:47 ` Achim Gratz
2015-04-11  9:02   ` David Macek
2015-04-11  9:08     ` Achim Gratz
2015-04-11  9:51       ` David Macek
2015-04-11 11:51         ` Achim Gratz
2015-04-11 10:00     ` Corinna Vinschen
2015-04-11 12:36       ` David Macek
2015-04-11 14:31         ` Corinna Vinschen
2015-04-11  9:44   ` Corinna Vinschen
2015-04-11 11:11     ` Bryan Berns
2015-04-11 14:32       ` Corinna Vinschen
2015-04-11 16:05   ` Andrey Repin
2015-04-11 17:11 ` donmez
2015-04-12  8:35   ` Corinna Vinschen
2015-04-12 13:21     ` İsmail Dönmez
2015-04-12 14:25       ` Corinna Vinschen
2015-04-15 15:42         ` Corinna Vinschen
2015-04-16 10:20           ` Ismail Donmez
2015-04-16 11:03             ` Corinna Vinschen
2015-04-16 16:09               ` Ismail Donmez
2015-04-16 16:24                 ` Corinna Vinschen
2015-04-16 16:48                   ` Ismail Donmez
2015-04-17  7:30                     ` Corinna Vinschen
2015-04-17 10:06                       ` Corinna Vinschen
2015-04-17 15:17                         ` Ismail Donmez
2015-04-17 16:22                           ` Corinna Vinschen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150410100703.GA4401@calimero.vinschen.de \
    --to=corinna-cygwin@cygwin.com \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).