Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

[-- Attachment #1: Type: text/plain, Size: 3067 bytes --]

On Apr 12 17:19, Bryan Berns wrote:
> On Sun, Apr 12, 2015 at 3:17 PM, Corinna Vinschen
> <corinna-cygwin@cygwin.com> wrote:
> > Hi Cygwin friends and users,
> >
> >
> > New 2.0.0-0.3 test release.  It's supposed to fix the pty chmod problem
> > reported in https://cygwin.com/ml/cygwin/2015-04/msg00240.html
> >
> 
> Just a note: In 2.0.0-0.2, creating a file using touch on the root of
> one of my drives resulted in the with the Windows GUI Security tabs
> complaining about ACE order on the resultant file.  In 2.0.0-0.3,
> Windows does not complain and the ACL looks quite a bit different
> (shown below).  Not sure if this is a problem or not --- just wanted
> to report the difference in case your fix had an unintended side
> affect.  Given my heart skips a beat when I see DENY ACEs, I like the
> new behavior behavior better.

Deny ACEs, if used correctly, are ok.  Cygwin needs them to implement
the POSIX ACL MASK value.  Consider:

  mask:      rw-
  user foo:  r-x
             ---
  effective: r--

Cygwin needs to know that user foo has real permission r-x, so
the ALLOW ACE contains (RX).  But the mask value forbids write
perms, so the user gets a DENY ACE, along these lines:

  MASK:      rwx
  foo DENY:  --x
  foo ALLOW: r-x

So the effective permissions for user foo are r--, while Cygwin
still knows that the actual permissions are r-x.

> V:\>icacls v:
> v: BUILTIN\Administrators:(OI)(CI)(F)
>    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
>    NT AUTHORITY\Authenticated Users:(OI)(CI)(M)
>    BUILTIN\Users:(OI)(CI)(RX)
> 
> Output from file created from 2.0.0-0.3:
> 
> V:\>icacls touch-from-3
> touch-from-3 DOMAIN\Administrator:(R,W,D,WDAC,WO)
>              DOMAIN\Domain Users:(R)
>              Everyone:(R)
>              BUILTIN\Administrators:(F)
>              NT AUTHORITY\SYSTEM:(F)
>              NT AUTHORITY\Authenticated Users:(M)
>              BUILTIN\Users:(RX)

I don't believe this is an ACL created by Cygwin 2.0.0 at all.
It's missing the NULL deny ACE.

> Successfully processed 1 files; Failed processing 0 files
> 
> Output from file created from 2.0.0-0.2:
> 
> V:\>icacls touch-from-2
> touch-from-2 NULL SID:(DENY)(Rc,S,WEA,X,DC)
>              DOMAIN\Administrator:(R,W,D,WDAC,WO)
>              DOMAIN\Domain Users:(DENY)(S,X)
>              NT AUTHORITY\Authenticated Users:(DENY)(S,X)
>              BUILTIN\Users:(DENY)(S,X)
>              DOMAIN\Domain Users:(RX)
>              NT AUTHORITY\Authenticated Users:(RX,W)
>              NT AUTHORITY\SYSTEM:(RX,W)
>              BUILTIN\Administrators:(RX,W)
>              BUILTIN\Users:(RX)
>              Everyone:(R)

The ACL looks vaguely ok, but I'd need to know the owner, group,
and what Cygwin thinks the ACLs look like in POSIX speak (getfacl
output).

I'm AFK most of today, though, so a reply may take a while...


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]