On Apr 23 20:44, Achim Gratz wrote: > Corinna Vinschen writes: > > You may be right here. The problem is that we have two kinds of ACLs > > to handle, the ones created by Windows means, and the ones created > > by recent or older Cygwin versions. It's rather bad that we can't > > distinguish them. > > I thought that this was the point of the NULL SID ACL entries? I was referring to the old-style ACLs created by Cygwin. There are some subtil differences. I have to think about that some more if that difference is really relevant. It's a dangerous job since Windows ACLs can cause knots in the brain. > > But then, how do you check an arbitrary ACL for the effective rights > > it creates for all affected parties? I may be missing some API function. > > but I don't see a Windows function generating some kind of effective > > ACL. There's only the function AccessCheck() which gets a token and an > > ACL as input and then tells you the effective rights of the user with > > this token. This gets very slow and complicated, very quickly. > > Right. For the records: AuthZ *might* be the answer. I never used it and I need some serious reading up on it. > > I hate to admit defeat, but it also seems that the method I used to > > handle real vs. effective rights just doesn't work as desired. In > > theory we don't want the DENY ACEs having any effect before visiting the > > ALLOW ACEs. > […] > > I don't think the ACL rules on Windows are made for that due to the > early-out aspect of their semantics. Yes, that's why the ordering is relevant. If the deny's follow the allows, they are almost (but not entirely) irrelevant. Thus they can be used to store information. > > This needs yet another rewrite, but this will take a lot longer than > > this first cut. I guess we should create a new Cygwin release without > > this new ACL handling change for now to get the bugfixes out. > > Yes, getting the fixes out and shelving the ACL part for some > re-thinking seems like a good idea. Yup. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat