setfacl to remove a permission implicit adds another

setfacl to remove a permission implicit adds another

[Thomas Wolff]

For my Desktop folder (as logged below), SYSTEM had group write permission,
other groups did not have write permissions (by mask).
After removing SYSTEM write permission with setfacl,
it was effectively removed for SYSTEM but the other groups got
write permission ADDED instead (as also properly indicated by ls) −
which is kind of the opposite of the intended operation.
Only after removing group write permission with chmod,
a suitable mask was reestablished, effectively restoring the previous 
setting.
Why did this specific setfacl operation affect the mask at all?

I know there will be some trade-off in POSIX/Windows interworking ACL 
handling,
and the current mechanism has undergone a long phase of considerations
and changes, so if this trade-off is better than others, so be it.
Just wondering.

Kind regards,
Thomas

NB: The purpose of this setting is to prevent stubborn IT management 
procedures from cluttering my desktop with their useless icons:/

user[en_US.UTF-8]:/cygdrive/c/Users/Public: getfacl Desktop
# file: Desktop/
# owner: user
# group: Administrators
user::rwx
group::---
group:BATCH:rwx                         #effective:r-x
group:INTERACTIVE:rwx                   #effective:r-x
group:SERVICE:rwx                       #effective:r-x
group:SYSTEM:rwx
group:Administrators:---
mask:r-x
other:---
default:user::rwx
default:group::---
default:group:BATCH:rwx
default:group:INTERACTIVE:rwx
default:group:SERVICE:rwx
default:group:SYSTEM:rwx
default:mask:rwx
default:other:---

user[en_US.UTF-8]:/cygdrive/c/Users/Public: setfacl -m group:SYSTEM:r-x 
Desktop
user[en_US.UTF-8]:/cygdrive/c/Users/Public: getfacl Desktop
# file: Desktop/
# owner: user
# group: Administrators
user::rwx
group::---
group:BATCH:rwx
group:INTERACTIVE:rwx
group:SERVICE:rwx
group:SYSTEM:r-x
group:Administrators:---
mask:rwx
other:---
default:user::rwx
default:group::---
default:group:BATCH:rwx
default:group:INTERACTIVE:rwx
default:group:SERVICE:rwx
default:group:SYSTEM:rwx
default:mask:rwx
default:other:---

user[en_US.UTF-8]:/cygdrive/c/Users/Public: ls -ld Desktop
total 9
drwxrwx---+ 1 user       Administrators   0 Dec 18 11:07 Desktop
...
user[en_US.UTF-8]:/cygdrive/c/Users/Public: chmod g-w Desktop
user[en_US.UTF-8]:/cygdrive/c/Users/Public: ls -ld Desktop
total 9
drwxr-x---+ 1 user       Administrators   0 Dec 18 11:07 Desktop
...
user[en_US.UTF-8]:/cygdrive/c/Users/Public: getfacl Desktop
# file: Desktop/
# owner: user
# group: Administrators
user::rwx
group::---
group:BATCH:rwx                         #effective:r-x
group:INTERACTIVE:rwx                   #effective:r-x
group:SERVICE:rwx                       #effective:r-x
group:SYSTEM:r-x
group:Administrators:---
mask:r-x
other:---
default:user::rwx
default:group::---
default:group:BATCH:rwx
default:group:INTERACTIVE:rwx
default:group:SERVICE:rwx
default:group:SYSTEM:rwx
default:mask:rwx
default:other:---


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl to remove a permission implicit adds another

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 951 bytes --]

On Dec 18 16:29, Thomas Wolff wrote:
> For my Desktop folder (as logged below), SYSTEM had group write permission,
> other groups did not have write permissions (by mask).
> After removing SYSTEM write permission with setfacl,
> it was effectively removed for SYSTEM but the other groups got
> write permission ADDED instead (as also properly indicated by ls) −
> which is kind of the opposite of the intended operation.
> Only after removing group write permission with chmod,
> a suitable mask was reestablished, effectively restoring the previous
> setting.
> Why did this specific setfacl operation affect the mask at all?

I'm not sure either.  Is that with 2.3.1 or the 2.4.0 test release?  If
the former, can you please check if 2.4.0 handles this better?


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: setfacl to remove a permission implicit adds another

[Thomas Wolff]

I wrote:
> ...
> After removing SYSTEM write permission with setfacl,
> it was effectively removed for SYSTEM but the other groups got
> write permission ADDED instead (as also properly indicated by ls) −
> which is kind of the opposite of the intended operation.
cygwin-2.4.0-0.11, sorry

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl to remove a permission implicit adds another

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 826 bytes --]

On Dec 18 17:14, Thomas Wolff wrote:
> I wrote:
> >...
> >After removing SYSTEM write permission with setfacl,
> >it was effectively removed for SYSTEM but the other groups got
> >write permission ADDED instead (as also properly indicated by ls) −
> >which is kind of the opposite of the intended operation.
> cygwin-2.4.0-0.11, sorry

In that case the behaviour is by design.  Try the same on Linux and the
result will be the same.  Every time you change group perms, the mask
will be changed to reflect the maximum permissions given to any group or
seccondary user.  You always have to check the mask or set it explicitely
to the desired value.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: setfacl to remove a permission implicit adds another

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1331 bytes --]

On Dec 18 18:11, Corinna Vinschen wrote:
> On Dec 18 17:14, Thomas Wolff wrote:
> > I wrote:
> > >...
> > >After removing SYSTEM write permission with setfacl,
> > >it was effectively removed for SYSTEM but the other groups got
> > >write permission ADDED instead (as also properly indicated by ls) −
> > >which is kind of the opposite of the intended operation.
> > cygwin-2.4.0-0.11, sorry
> 
> In that case the behaviour is by design.  Try the same on Linux and the
> result will be the same.  Every time you change group perms, the mask
> will be changed to reflect the maximum permissions given to any group or
> seccondary user.  You always have to check the mask or set it explicitely
> to the desired value.

I'm sorry, but I forgot to mention an important part:  Recomputing the
mask is *not* done in the kernel or, in our case, Cygwin.  Rather this
functionality is part of the setfacl tool.  Setfacl recomputes the mask
by default.  There's a new option -n/--no-mask as on Linux to retain the
current mask setting, e.g.

  $ setfacl -n -m g:wheel:r-x file

Try setfacl --help for a comprehensive description of all options.


HTH,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: setfacl to remove a permission implicit adds another

[Thomas Wolff]

On 18.12.2015 20:38, EXT Corinna Vinschen wrote:
> On Dec 18 18:11, Corinna Vinschen wrote:
>> On Dec 18 17:14, Thomas Wolff wrote:
>>> I wrote:
>>>> ...
>>>> After removing SYSTEM write permission with setfacl,
>>>> it was effectively removed for SYSTEM but the other groups got
>>>> write permission ADDED instead (as also properly indicated by ls) −
>>>> which is kind of the opposite of the intended operation.
>>> cygwin-2.4.0-0.11, sorry
>> In that case the behaviour is by design.  Try the same on Linux and the
>> result will be the same.  Every time you change group perms, the mask
>> will be changed to reflect the maximum permissions given to any group or
>> seccondary user.  You always have to check the mask or set it explicitely
>> to the desired value.
> I'm sorry, but I forgot to mention an important part:  Recomputing the
> mask is *not* done in the kernel or, in our case, Cygwin.  Rather this
> functionality is part of the setfacl tool.  Setfacl recomputes the mask
> by default.  There's a new option -n/--no-mask as on Linux to retain the
> current mask setting, e.g.
>
>    $ setfacl -n -m g:wheel:r-x file
>
> Try setfacl --help for a comprehensive description of all options.
>
>
> HTH,
Yes, thank you.
Just pondering:
"...the maximum/union of all permissions..." could well be interpreted 
as "... all *effective* permissions"
which would make a difference in the presented case.
Anyway, you are right, this is an upstream design issue. And upstream in 
this case seems to mean referring to a standard that isn't even 
officially available anymore...
------
Thomas

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl to remove a permission implicit adds another

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2042 bytes --]

On Dec 21 14:13, Thomas Wolff wrote:
> On 18.12.2015 20:38, EXT Corinna Vinschen wrote:
> >On Dec 18 18:11, Corinna Vinschen wrote:
> >>On Dec 18 17:14, Thomas Wolff wrote:
> >>>I wrote:
> >>>>...
> >>>>After removing SYSTEM write permission with setfacl,
> >>>>it was effectively removed for SYSTEM but the other groups got
> >>>>write permission ADDED instead (as also properly indicated by ls) −
> >>>>which is kind of the opposite of the intended operation.
> >>>cygwin-2.4.0-0.11, sorry
> >>In that case the behaviour is by design.  Try the same on Linux and the
> >>result will be the same.  Every time you change group perms, the mask
> >>will be changed to reflect the maximum permissions given to any group or
> >>seccondary user.  You always have to check the mask or set it explicitely
> >>to the desired value.
> >I'm sorry, but I forgot to mention an important part:  Recomputing the
> >mask is *not* done in the kernel or, in our case, Cygwin.  Rather this
> >functionality is part of the setfacl tool.  Setfacl recomputes the mask
> >by default.  There's a new option -n/--no-mask as on Linux to retain the
> >current mask setting, e.g.
> >
> >   $ setfacl -n -m g:wheel:r-x file
> >
> >Try setfacl --help for a comprehensive description of all options.
> >
> >
> >HTH,
> Yes, thank you.
> Just pondering:
> "...the maximum/union of all permissions..." could well be interpreted as
> "... all *effective* permissions"

Uh, no.  The effective permissions are a *result* of applying the mask,
so they can't constitute the mask.  Stimulus/response are unambiguously
defined here.

> which would make a difference in the presented case.
> Anyway, you are right, this is an upstream design issue. And upstream in
> this case seems to mean referring to a standard that isn't even officially
> available anymore...

Heh, yes.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]