Trying to create default ACL entries to match file ACL entries

Trying to create default ACL entries to match file ACL entries

[L A Walsh]

I am trying to create an entry for '/' (or '.' w/me sitting in '/')
where the default entries are the same as the file entries.

I noticed the example give in the manpage for copying entries:

The special filename "-" indicates reading from stdin.
       Note that you can use this with getfacl and setfacl to copy ACLs from
       one file to another:

           $ getfacl source_file | setfacl -f - target_file

so tried doing:

  getfacl . | setfacl -d - .


But keep running into:

  setfacl: missing entries.

Also tried writing to a file and modifying that.
Last try had:

# file: .
# owner: Bliss\law
# group: Bliss\lawgroup
default:user:Bliss\law:rwx
default:group:SYSTEM:rwx
default:group:Bliss\lawgroup:rwx
default:group:Bliss\Domain Admins:rwx
default:group:Bliss\Domain Users:r-x
default:group:Administrators:rwx
default:other::r-x
mask::rwx
user::rwx
group::rwx
other::r-x
----
But still with:
  /> setfacl -f /tmp/norm .
got:
  setfacl: missing entries.

Using it with '-d' just gave illegal acl entries, so
that didn't work either.

What am I missing?  Thanks!
-linda



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Trying to create default ACL entries to match file ACL entries

[Eliot Moss]

On 6/4/2019 3:34 PM, L A Walsh wrote:
> I am trying to create an entry for '/' (or '.' w/me sitting in '/')
> where the default entries are the same as the file entries.

Ooooo ... not sure _I'd_ mess what / on a Windows system!

> I noticed the example give in the manpage for copying entries:
> 
> The special filename "-" indicates reading from stdin.
>         Note that you can use this with getfacl and setfacl to copy ACLs from
>         one file to another:
> 
>             $ getfacl source_file | setfacl -f - target_file
> 
> so tried doing:
> 
>    getfacl . | setfacl -d - .

I have no problem doing:

mkdir temp
getfacl . | setfacl -f - temp
getfacl temp | setfacl -f .
getfacl / | setfacl -f .

I didn't want to try setting things on /, but
you might:

cd /
mkdir foo
getfacl foo | setfacl -f - .

But I am not sure what foo would have as its permission, i.e., whether
they are what you want.

Regards - EM

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Trying to create default ACL entries to match file ACL entries

[L A Walsh]

lets see if this is more clear:


On 2019/06/04 12:44, Eliot Moss wrote:
> On 6/4/2019 3:34 PM, L A Walsh wrote:
>   
>> I am trying to create an entry for '/' (or '.' w/me sitting in '/')
>> where the default entries are the same as the file entries.
>>           ^^^^^^^
>>
>> so tried doing:
>>
>>    getfacl . | setfacl -d - .
>>     
Sorry, but am trying to get the 'file' entries (w/o the -d)
copied into the default.

On 2019/06/04 12:44, Eliot Moss wrote:
> Ooooo ... not sure _I'd_ mess what / on a Windows system!
>   
-----
    Ya, not idea, but too late for that.  Thanks for your
vote of confidence though!  :waaaaa: :-(



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Trying to create default ACL entries to match file ACL entries

[Brian Inglis]

On 2019-06-04 13:59, L A Walsh wrote:
> lets see if this is more clear:
> On 2019/06/04 12:44, Eliot Moss wrote:
>> On 6/4/2019 3:34 PM, L A Walsh wrote:
>>> I am trying to create an entry for '/' (or '.' w/me sitting in '/')
>>> where the default entries are the same as the file entries.
>>>           ^^^^^^^
>>> so tried doing:
>>>    getfacl . | setfacl -d - .
> Sorry, but am trying to get the 'file' entries (w/o the -d)
> copied into the default.

Not seeing -d, --default documented or supported in the code as an option flag
under Cygwin: it is available under Debian/Ubuntu at least, and probably other
Linux; neither are the file input option flags -M, --modify-file, -X,
--remove-file, or symbolic link -L, --logical, -P, --physical, or -R,
--recursive option flags.

Cygwin equivalent based on setfacl(1) would be something like:
$ getfacl -a source_file | sed 's/.*/&\nd:&/' | setfacl -f - target_file
where you are getting and duplicating the file accesses and also creating the
DACLs.

> On 2019/06/04 12:44, Eliot Moss wrote:
>> Ooooo ... not sure _I'd_ mess what / on a Windows system!
> -----
>     Ya, not idea, but too late for that.  Thanks for your
> vote of confidence though!  :waaaaa: :-(

I have had success using only setfacl -m and specifying everything I want
changed or set in that argument e.g.

	$ setfacl -m u::rwx,g::r-x,o::r-x,d:u::rwx,d:g::r-x,d:o::r-x /

probably using an admin account running with elevated permissions in this case.

For Cygwin root /, I have only:

$ lsp / | cygcheck-hrsv.sed
drwxr-xr-x+ 1 $USER Administrators 0 May 31 05:19 /
# file: /
# owner: $USER
# group: Administrators
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

C:/.../cygwin64 $HOSTNAME\$USER:(F)
                      BUILTIN\Administrators:(RX)
                      Everyone:(RX)
                      CREATOR OWNER:(OI)(CI)(IO)(F)
                      CREATOR GROUP:(OI)(CI)(IO)(RX)
                      Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Trying to create default ACL entries to match file ACL entries

[Chris Wagner]

Hi Linda, / is just a mount to something like C:\Cygwin64 so there is no 
problem in changing it.

You should delete all the target thing's permissions first to guarantee 
starting from a clean slate.

$ setfacl -kb z2/ && getfacl z1/ |setfacl -f - z2/

This works for me with the latest packages.

HTH, Chris



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Trying to create default ACL entries to match file ACL entries

[L A Walsh]

On 2019/06/04 14:26, Brian Inglis wrote:
> On 2019-06-04 13:59, L A Walsh wrote:
>   
>> lets see if this is more clear:
>> On 2019/06/04 12:44, Eliot Moss wrote:
>>     
>>> On 6/4/2019 3:34 PM, L A Walsh wrote:
>>>       
>>>> I am trying to create an entry for '/' (or '.' w/me sitting in '/')
>>>> where the default entries are the same as the file entries.
>>>>           ^^^^^^^
>>>> so tried doing:
>>>>    getfacl . | setfacl -d - .
>>>>         
>> Sorry, but am trying to get the 'file' entries (w/o the -d)
>> copied into the default.
>>     
>
> Not seeing -d, --default documented or supported in the code as an option flag
> under Cygwin: it is available under Debian/Ubuntu at least, and probably other
> Linux; 
Not to confuse things, but its under getfacl.

silly me, thinking setfacl might have the same flag
very confusing...
So need to getfacl to get access perms, then turn them into a form for
default acl...
Sigh...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Trying to create default ACL entries to match file ACL entries

[Brian Inglis]

On 2019-06-04 15:34, Chris Wagner wrote:
> / is just a mount to something like C:\Cygwin64 so there is no problem
> in changing it.
> You should delete all the target thing's permissions first to guarantee starting
> from a clean slate.
> $ setfacl -kb z2/ && getfacl z1/ |setfacl -f - z2/
> This works for me with the latest packages.

Watch out for valid DACLs if you want to be able to create files in any
subdirectory from Windows programs or access them after creation: thar be
grumblins!

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

how do i create a trusted-installer? (was Re: Trying to create default ACL entries to match file ACL entries)

[L A Walsh]

On 2019/06/04 14:34, Chris Wagner wrote:
> Hi Linda, / is just a mount to something like C:\Cygwin64 so there is no 
> problem in changing it.
>   
----
    Uh...about that....oh my system '/' points to 'C:\'.  Isn't life fun!

I think I finally got it.  I broke down and used "icacls" for fine tuning
and now seem to have:
\ NT SERVICE\TrustedInstaller:(F)
  NT SERVICE\TrustedInstaller:(OI)(CI)(F)
  Bliss\law:(OI)(CI)(F)
  BLISS\lawgroup:(OI)(CI)(F)
  BLISS\Domain Admins:(OI)(CI)(F)
  BLISS\Domain Users:(OI)(CI)(RX)
  BUILTIN\Administrators:(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(OI)(CI)(F)
  BUILTIN\Users:(OI)(CI)(RX)
  Mandatory Label\High Mandatory Level:(OI)(CI)(NW)


FWIW, BTW, I have two scripts (one in perl, one in shell) that convert
from a SID<->a hex value as you might see in the registry, and back
again.  As much as I've been able to test they seem correct. and agree
with other tools of the same
ilk.  You probably have your own, but if not, they are fairly trivial
and being in either shell or perl they aren't too difficult to understand.

If there is a want, I can just post them here, neither is very long.
> wc sidhex_xlate.{pl,sh}
 127  422 3067 sidhex_xlate.pl
 193  566 4697 sidhex_xlate.sh
 320  988 7764 total

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple