From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 40493 invoked by alias); 17 Aug 2015 08:20:17 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 40485 invoked by uid 89); 17 Aug 2015 08:20:16 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.4 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY autolearn=no version=3.3.2 X-HELO: calimero.vinschen.de Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 17 Aug 2015 08:20:16 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id B663DA80562; Mon, 17 Aug 2015 10:20:13 +0200 (CEST) Date: Mon, 17 Aug 2015 08:20:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: Shares with strange ACL settings Message-ID: <20150817082013.GH25127@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20150812155817.GN13029@calimero.vinschen.de> <878u9g9y6b.fsf@Rainer.invalid> <20150812183220.GO13029@calimero.vinschen.de> <87vbck8h92.fsf@Rainer.invalid> <20150813163302.GB28349@calimero.vinschen.de> <20150813175302.GD28349@calimero.vinschen.de> <20150814082959.GE28349@calimero.vinschen.de> <20150814134552.GG28349@calimero.vinschen.de> <87fv3l683c.fsf@Rainer.invalid> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gm5TwAJMO0F2iVRz" Content-Disposition: inline In-Reply-To: <87fv3l683c.fsf@Rainer.invalid> User-Agent: Mutt/1.5.23 (2014-03-12) X-SW-Source: 2015-08/txt/msg00259.txt.bz2 --gm5TwAJMO0F2iVRz Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 1729 On Aug 14 20:25, Achim Gratz wrote: > Corinna Vinschen writes: > > Cool, thanks for your quick feedback. >=20 > Thanks for the snapshot! >=20 > > We should just be aware that this is ultimately a kludge. I think I now > > finally understand what would have to be done to get a generic solution > > which results in correct POSIX permission evaluation for any current > > user and any file ACL. However, from some preliminary testing it seems > > the generic solution has at least two downsides: > > > > - It's slow (AuthZ code, setting up and breaking down user/group contex= ts > > for each checked file...) > > > > - It would always contact the AD when trying to fetch info for AD users, > > which is bad for remote machines not or slowly connected to the AD se= rver. >=20 > I think we've came to the same conclusion (modulo the question of > whether AuthZ would be usable for this) some time ago. My personal take > on this is that the "kludge" is likely better than both what we had > before and the result of the pre-snapshot ACL evaluation. FYI, I revamped my AuthZ tests over the weekend and it's not *that* slow, especially if the application caches and reuses AuthZ user contexts fetched previosly. I have POC code in my local sandbox, and I'm planning to apply this to Cygwin after the 2.2.1 release. I have some hopes that the AuthZ code was the puzzle piece missing in the unified POSIX ACL handling code we tested and then had to drop again earlier this year. Stay tuned for another round of this unified POSIX ACL handling tests later this year. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --gm5TwAJMO0F2iVRz Content-Type: application/pgp-signature Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJV0Zk9AAoJEPU2Bp2uRE+gFSAP/2SpeippKWeD83y657sxxcXy cesgmVECH6R2ESoHUZmD3iXz9g6hKCBCWpGcuO5yCFm5uVWb5vwcJehG19JD8vyV qqpRlrakClCxUKNM3z+i8ICiLNsdtwpS7q7ksBKa/H2DRPfnRdIvSGz8EDiWEkAs FRh06X2tvU5zndt7KxaJmqLcdNpesWH/zPvpY3GIULPLSpPkQYhZpTxxzFP6xk29 p6Cb9yXw1DTdWmRCNawPk7lBgEK+XoCLVkfalQaosWxCmkEweysfRkx10S675pV3 4t3W0EFDjI2PwRsXgXr1TGzrVEC9tpiDSTgY+PVLleXONci9lUFiyDe5vppogdcz 7EBFvJln+E0xkwyEJebZGgXBnLWadFj0sO+AS4CZaiPyE3YxGPINwagaY1iUjO/o nZFuZBodC/OPH4MUa7QSEqH6uFHSs0ciYC0icxqqQjLJOs5r+cc4ZSC48b+LgNPo HEPaOgo0Gh6qv5CT1IjEf0R8Ee+74mdiOHytjeJKkPvwHpoieGFT+tulju6fr+gz Dc1e4wM2lMZ8ErpXtbuKbT5wyj5bFWouUTDjIuas7mcFdNBcKPQbKsN1Z1kez/zW DrGjqH/kgtaEHlGyi024gQPJ5O8OEAv25TJhw9Ieomdwv0zD5n1sDaUJPt4AIpoT KmaCiRx8va7mSdc6Sty9 =KezS -----END PGP SIGNATURE----- --gm5TwAJMO0F2iVRz--