From: "D. Boland" <daniel@boland.nl>
To: cygwin@cygwin.com
Subject: vi stealing SYSTEM-owned permissions and ownership
Date: Sat, 02 Nov 2013 12:55:00 -0000 [thread overview]
Message-ID: <5274F396.A133C4CE@boland.nl> (raw)
Hi group,
I'm a Linux teacher at a school for vocational education in the Netherlands.
I use Cyqwin to help my students overcome their fear of the command line by
showing them their Windows systems through the eyes of Linux.
I had them install Apache and then configure it in Cygwin using vi.
As of Windows 8, the Apache installation sometimes fails, because of permission
issues. Installing "As administrator" solves the problem. This is fine
with me because in other Linuxes, Apache is installed as root by default.
After installation, permissions in the Apache "conf" directory look like this:
drwx------+ 1 SYSTEM SYSTEM 0 28 okt 20:43 .
drwx------+ 1 SYSTEM SYSTEM 0 2 nov 13:10 ..
-rwx------+ 1 SYSTEM SYSTEM 35142 26 okt 18:07 httpd.conf
-rwx------+ 1 SYSTEM SYSTEM 34770 7 okt 23:29 httpd.default.conf
-rwx------+ 1 SYSTEM SYSTEM 13340 3 okt 07:59 magic
-rwx------+ 1 SYSTEM SYSTEM 13340 21 nov 2004 magic.default
-rwx------+ 1 SYSTEM SYSTEM 54599 3 okt 07:59 mime.types
-rwx------+ 1 SYSTEM SYSTEM 54599 17 mrt 2012 mime.types.default
-rwx------+ 1 SYSTEM SYSTEM 9390 5 feb 2013 openssl.cnf
-rwx------+ 1 SYSTEM SYSTEM 11050 3 okt 07:59 ssl.conf
-rwx------+ 1 SYSTEM SYSTEM 11030 7 okt 23:29 ssl.default.conf
To emulate the Unix permissions model, I had my students add a group in Windows,
named "apache", making themselves a member and then import it using the mkgroup
command.
After a chgrp and chmod on the entire Apache folder, the "conf" directory looks
like this:
drwxrwx---+ 1 SYSTEM apache 0 28 okt 20:43 .
drwxrwx---+ 1 SYSTEM apache 0 2 nov 13:10 ..
-rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf
-rwxrwx---+ 1 SYSTEM apache 34770 7 okt 23:29 httpd.default.conf
-rwxrwx---+ 1 SYSTEM apache 13340 3 okt 07:59 magic
-rwxrwx---+ 1 SYSTEM apache 13340 21 nov 2004 magic.default
-rwxrwx---+ 1 SYSTEM apache 54599 3 okt 07:59 mime.types
-rwxrwx---+ 1 SYSTEM apache 54599 17 mrt 2012 mime.types.default
-rwxrwx---+ 1 SYSTEM apache 9390 5 feb 2013 openssl.cnf
-rwxrwx---+ 1 SYSTEM apache 11050 3 okt 07:59 ssl.conf
-rwxrwx---+ 1 SYSTEM apache 11030 7 okt 23:29 ssl.default.conf
My students can now administer Apache without running Cygwin "As administrator".
Also, this is extremely useful in real-time business situations. It enables my
students to grant Apache admin permissions to other users by putting them in
the apache group, without giving them full admin access on the entire system.
But here's the problem. After editing the httpd.conf file with vi, the permissions
on the "httpd.conf" file are changed to:
----------+ 1 Daniel None 35142 2 nov 13:20 httpd.conf
This should not be. I tested this on my RedHat and OpenBSD systems, and there are
no changes in ownership or permissions after editing with vi.
After fiddling with chown, chgrp, chmod, getfacl, setfacl and icacl for a few
hours, I finally installed nano. Nano behaved. It did not alter anything except
the contents of the file.
But I want my students to learn vi, so having them install nano is not an option.
I think the problem is vi. Vi deletes the original file and creates a new one with
the changed contents, without resetting the original ownership and permissions. See
also this post:
http://unix.stackexchange.com/questions/58880/how-does-vim-steal-root-owned-files
Can somebody shed some light on this?
Meanwhile, I accidentally found sort of a solution: deleting the file without write
permissions on the containing folder, restores the permissions set by Administrator.
As Administrator:
chmod 0700 .
touch test.txt
chown SYSTEM:apache test.txt
chmod 0770 test.txt
Results in:
-rwxrwx---+ 1 SYSTEM apache 0 2 nov 13:26 test.txt
As "normal" user:
Edit the file with vi. After, permissions will look like:
----------+ 1 Daniel None 9 2 nov 13:29 test.txt
$ getfacl.exe test.txt
# file: test.txt
# owner: Daniel
# group: None
user::---
group::---
group:SYSTEM:rwx
group:Administrators:rwx
group:Gebruikers:r-x
group:apache:rwx
mask:rwx
other:---
To "solve" this, simply delete the file:
rm test.txt
The file is not deleted because of 0700 on the containing folder. But the original
permissions, set by Admin are restored!!
-rwxrwx---+ 1 SYSTEM apache 9 2 nov 13:29 test.txt
$ getfacl.exe test.txt
# file: test.txt
# owner: SYSTEM
# group: apache
user::rwx
group::rwx
group:Administrators:rwx
group:Gebruikers:r-x
mask:rwx
other:---
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next reply other threads:[~2013-11-02 12:55 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-02 12:55 D. Boland [this message]
2013-11-02 13:36 ` Brian S. Wilson
2013-11-02 18:42 ` Andrey Repin
2013-11-02 21:58 ` D. Boland
2013-11-02 22:35 ` Andrey Repin
2013-11-03 18:47 ` D. Boland
2013-11-03 22:05 ` Andrey Repin
2013-11-04 11:23 ` Brian S. Wilson
2013-11-04 14:54 ` Lavrentiev, Anton (NIH/NLM/NCBI) [C]
2013-11-04 17:05 ` Larry Hall (Cygwin)
2013-11-05 5:54 ` D. Boland
2013-11-05 17:38 ` Achim Gratz
2013-11-08 14:25 ` D. Boland
2013-11-08 15:59 ` Lavrentiev, Anton (NIH/NLM/NCBI) [C]
2013-11-08 20:20 ` Andrey Repin
2013-11-27 18:11 ` D. Boland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5274F396.A133C4CE@boland.nl \
--to=daniel@boland.nl \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).