From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 56240 invoked by alias); 11 Dec 2017 22:19:35 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 56232 invoked by uid 89); 11 Dec 2017 22:19:34 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-6.4 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,RCVD_IN_DNSWL_NONE,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=jrgen, Upon, rights, Full X-HELO: mail.knapheide.com Received: from mail.knapheide.com (HELO mail.knapheide.com) (216.138.7.10) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 11 Dec 2017 22:19:30 +0000 Authentication-Results: mail.knapheide.com; spf=None smtp.pra=eduesterhaus@knapheide.com; spf=None smtp.mailfrom=eduesterhaus@knapheide.com; spf=None smtp.helo=postmaster@mail.knapheide.com Received-SPF: None (mail.knapheide.com: no sender authenticity information available from domain of eduesterhaus@knapheide.com) identity=pra; client-ip=10.129.5.99; receiver=mail.knapheide.com; envelope-from="eduesterhaus@knapheide.com"; x-sender="eduesterhaus@knapheide.com"; x-conformance=sidf_compatible Received-SPF: None (mail.knapheide.com: no sender authenticity information available from domain of eduesterhaus@knapheide.com) identity=mailfrom; client-ip=10.129.5.99; receiver=mail.knapheide.com; envelope-from="eduesterhaus@knapheide.com"; x-sender="eduesterhaus@knapheide.com"; x-conformance=sidf_compatible Received-SPF: None (mail.knapheide.com: no sender authenticity information available from domain of postmaster@mail.knapheide.com) identity=helo; client-ip=10.129.5.99; receiver=mail.knapheide.com; envelope-from="eduesterhaus@knapheide.com"; x-sender="postmaster@mail.knapheide.com"; x-conformance=sidf_compatible X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2AYBgCaAy9a/2MFgQpbHAEBAQQBAQoBA?= =?us-ascii?q?YQkgRQHB58YkTyHZQoYC4UYAoU1FAEBAQEBAQEBAYEIC4UiAQEEAU4wBwYBCBE?= =?us-ascii?q?EAQEBXwEdCQEEDwQBBwwJBIl/EQeqX4plAQEBBwEBAQEkg2iDYYFpgyuDI4Fmh?= =?us-ascii?q?W4gBYo6iCKBJY8Qh3mBa4s0gh9jiTyHLo0KfYhXgTs2gXFvT4IpCYRMeAiJQYE?= =?us-ascii?q?VAQEB?= X-IPAS-Result: =?us-ascii?q?A2AYBgCaAy9a/2MFgQpbHAEBAQQBAQoBAYQkgRQHB58YkTy?= =?us-ascii?q?HZQoYC4UYAoU1FAEBAQEBAQEBAYEIC4UiAQEEAU4wBwYBCBEEAQEBXwEdCQEED?= =?us-ascii?q?wQBBwwJBIl/EQeqX4plAQEBBwEBAQEkg2iDYYFpgyuDI4FmhW4gBYo6iCKBJY8?= =?us-ascii?q?Qh3mBa4s0gh9jiTyHLo0KfYhXgTs2gXFvT4IpCYRMeAiJQYEVAQEB?= Received: from hq-exchanges2.knapheide.com (HELO mail.knapheide.com) ([10.129.5.99]) by mail.knapheide.com with ESMTP/TLS/AES256-SHA256; 11 Dec 2017 16:19:28 -0600 Received: from HQ-ExchangeS2.knapheide.com (10.129.5.99) by HQ-ExchangeS2.knapheide.com (10.129.5.99) with Microsoft SMTP Server (TLS) id 15.1.466.34; Mon, 11 Dec 2017 16:19:28 -0600 Received: from HQ-ExchangeS2.knapheide.com ([fe80::84a1:9464:b235:d94a]) by HQ-ExchangeS2.knapheide.com ([fe80::84a1:9464:b235:d94a%12]) with mapi id 15.01.0466.034; Mon, 11 Dec 2017 16:19:28 -0600 From: Eric Duesterhaus To: "cygwin@cygwin.com" Subject: RE: Files created in cygwin on fileshare no longer allow "delete" in NTFS Date: Tue, 12 Dec 2017 00:26:00 -0000 Message-ID: <542bb7543d814f55a9f2f02fa7fc6cad@knapheide.com> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-SW-Source: 2017-12/txt/msg00088.txt.bz2 Hi J=FCrgen, >From an NTFS standpoint, the containing directory allows "Modify" level ac= cess to the AD group the users are members of. Effective permissions shows= the AD group members can do the following to the containing folder by virt= ue of being members of this group: - Traverse folder / execute file - List Folder /read data - Read attributes - Read extended attributes - Create files /write data - Create folders / append data - Write attributes - Write extended attributes - Delete - Read permissions The following are NOT allowed of the AD group members: - Full control - Change Permissions - Take ownwership Any file placed in this directory through windows file management inherits = the correct permissions. Files created from within Cygwin, even if I just = do a "touch filename" allow the AD group "Read, write & execute" access ins= tead of "Modify" access. In effective access, the following have check mar= ks for users that are members of the AD group: - Traverse folder / execute file - List Folder /read data - Read attributes - Read extended attributes - Create files /write data - Create folders / append data - Write attributes - Write extended attributes - Read permissions Note that there are two differences: 1. Delete permission are now missing. 2. Inheritance has been disabled and all permissions that would have been i= nherited are on the file as explicit permissions, excepting "delete" Thanks for the help so far! Hopefully this answered your question. > Hi Eric, > what are the permission settings on the containing directory? > > Cheers, > --J. On 11.12.2017 20:58, Eric Duesterhaus wrote: > Hi Cygwin Community, > > We are currently encountering an issue with Cygwin in regards to NTFS per= missions on files created within Cygwin. I'll try to outline my issue with= specifics. > > 1. There is a windows file server mapped to M:\ on the a windows compute= r running Cygwin. > > 2. There is an active directory group that has "Modify" level permission= s on this file share (In NTFS, Modify includes explicit "delete" rights) > > 3. "User1" and "User2" are both members of the aforementioned AD group. > > 4. A file is created in /cygdrive/m/filepath/ through Cygwin being run a= s "User1". > > 5. "User2" attempts to delete this file. It does not work (access denied= ).=20=20 > > 6. Upon further inspection of this file's ACL, the AD group with Modify l= evel permissions now only has "read, write, execute" permissions, which, us= ing windows "Effective Access" tool shows that the checkbox that assigns "d= elete" rights is no longer checked for this group. > > > I tried using getfacl on a file with the modify permission allowed to my = AD group, then passed that file into setfacl with the -f option to overwrit= e the ACL of my created file. From the NTFS point of view, my AD group sti= ll only has read/write/execute permissions instead of modify, which again, = doesn't allow delete. > > For information gathering I use the resultant file from getfacl to setacl= -f on a file with "good" NTFS permissions, it overwrites the permissions a= nd again, my AD group only has rwx and not "modify" permissions while looki= ng at the ACL from windows. > > How can I retain NTFS "delete" rights for my users and groups on files cr= eated by Cygwin? >=20=20 > Eric=20 > > > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > > =20 -----Original Message----- From: Eric Duesterhaus=20 Sent: Monday, December 11, 2017 1:58 PM To: 'cygwin@cygwin.com' Subject: Files created in cygwin on fileshare no longer allow "delete" in N= TFS=20 Hi Cygwin Community, We are currently encountering an issue with Cygwin in regards to NTFS permi= ssions on files created within Cygwin. I'll try to outline my issue with s= pecifics. 1. There is a windows file server mapped to M:\ on the a windows computer = running Cygwin. 2. There is an active directory group that has "Modify" level permissions = on this file share (In NTFS, Modify includes explicit "delete" rights) 3. "User1" and "User2" are both members of the aforementioned AD group. 4. A file is created in /cygdrive/m/filepath/ through Cygwin being run as = "User1". 5. "User2" attempts to delete this file. It does not work (access denied).= =20=20 6. Upon further inspection of this file's ACL, the AD group with Modify lev= el permissions now only has "read, write, execute" permissions, which, usin= g windows "Effective Access" tool shows that the checkbox that assigns "del= ete" rights is no longer checked for this group. I tried using getfacl on a file with the modify permission allowed to my AD= group, then passed that file into setfacl with the -f option to overwrite = the ACL of my created file. From the NTFS point of view, my AD group still= only has read/write/execute permissions instead of modify, which again, do= esn't allow delete. For information gathering I use the resultant file from getfacl to setacl -= f on a file with "good" NTFS permissions, it overwrites the permissions and= again, my AD group only has rwx and not "modify" permissions while looking= at the ACL from windows. How can I retain NTFS "delete" rights for my users and groups on files crea= ted by Cygwin? =20 Eric=20 -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple