On Apr 14 15:35, Achim Gratz wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > Yes, perfectly normal and that already occured with older ACLs
> > created by Cygwin:
> > 
> > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-files
> > 
> > Don't reorder them.
> 
> Ah, OK.  I must have been lucky not to encounter them so far.

The order is only supposed to become non-canonical if user(s)
have less permissions than group(s), and if group(s) have more
permissions than the MASK value and less permisssions than "other".
In these cases, DENY ACEs have to be generated to create an ACE which
fully supports POSIX permissions.

However, the DENY ACEs for groups must not precede the ALLOW ACEs for
USERs due to the way permissions are handled by the OS.  "Canonical"
ACLs just don't allow to fully express POSIX permissions.  It's a pity
that this arbitrary rule has been expressed, especially given that the
OS doesn't really care.  It handles the ACEs simply in order of
occurance.  There's also no good reason that the GUI wants to reorder,
except that Microsoft didn't implement a GUI which allows manual
ordering of ACEs.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat