cygwin permissions on folders creating problems for windows applications (like explorer, gvim)

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

From: L A Walsh <cygwin@tlinx.org>
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: cygwin permissions on folders creating problems for windows applications (like explorer, gvim)
Date: Tue, 08 Sep 2020 23:55:10 -0700	[thread overview]
Message-ID: <5F587C4E.5090007@tlinx.org> (raw)

I was trying to edit files in
/etc/ssh:

  /etc/ssh> gvim sshd_config                                                      
  Error: Current working directory has restricted permissions which render it     
  inaccessible as Win32 working directory.                                        
  Can't start native Windows application from here.                               
                                                                                 setsid: failed to execute gvim: Permission denied                               

The files were owned by a domain account which is broken right now.

  An Aside (I think)
    (my workstation became unjoined after a windows update and the trust
    between workstation+samba DC was broken.  Tried removing + re-adding
    only to get:

      The join operation was not successful.  This could be because an
      existing computer account having name 'ANY' was previous
      created using a different set of credential.  Use a different
      computer name, or contact your administrator to remove any
      stale conflicting account.  The error was Access is denied.

    So far, I've been stymied on that front as well
   End of aside

The dir was owned by a domain account, so chowned it to a local account+
group, and no effect.  Noticed an ACL on it from the + in ls.

my lsacl script shows:
/etc/ssh> lsacl .
[u::rwx,u:Administrators_u:rwx,g::rwx,g:SYSTEM:rwx,g:Users:r-x,g:Authenticated Users:rwx,m::rwx,o::---/u::rwx,u:Administrators_u:rwx,g::rwx,g:SYSTEM:rwx,g:Users:r-x,g:Authenticated Users:rwx,m::rwx,o::r-x] .

and getfacl shows:

/etc/ssh> getfacl .
# file: .
# owner: Administrators_u
# group: Administrators
user::rwx
user:Administrators_u:rwx
group::rwx
group:SYSTEM:rwx
group:Users:r-x
group:Authenticated Users:rwx
mask::rwx
other::---
default:user::rwx
default:user:Administrators_u:rwx
default:group::rwx
default:group:SYSTEM:rwx
default:group:Users:r-x
default:group:Authenticated Users:rwx
default:mask::rwx
default:other::r-x

Looking in explorer I see
a NULL SID with Deny of Traverse, Read ext attrs and perm, and del subfolders
for the folder only.
Authenticated users get denied for folder Create files/write data, 
Create folders /append data, write attrs,  write ext.attrs, + delete subfolders+files
Then they get some perms for folder+subfolds+files
and a copy of the null sid denials...

Explorer maintains that "The permissions on etc/ssh are incorrectly ordered
which may cause some entries to be ineffective.  In order to change 
any permissions, windows requires they be reordered.

I've run into this stuff before with cygwin permissions being incompatible
with windows permissions.  I've sort of ignored it for the most part as my 
domain account generally had permissions to what I needed, but my local
account hasn't had the same treatment.

So I can reinstall new acls for the local equivalents of the domain
accounts or I can try to figure out why cygwin has to use acls that
are incompatible with windows applications -- and by incompatible, I 
mean they won't start.

Oddly enough Samba seems to be able to store cygwin Acls,
in a way that doesn't seem to require a disabling of windows acls 
nor linux acls.  I may be wrong, but I seem to have a feeling that
this has to do with a decision to use Sun-ACL's in cygwin while
Samba uses Posix ACLs.  Also, something I didn't understand is I
seem to remember that something special had to be done to implement
a primary group on the files -- yet, since Vista, MS has had a primary
group on their files to support their POSIX subsystem.  Is that 
currently being used?  If not, would it be possible?

The group ID may not be figuring into how the cyg-acl's are very
incompat with window's acl's, I dunno.

But my main concern is not being able to start any windows apps in
directories where cygwin has set the permissions as they seem to
be incompatible.  Can these be made compatible?  If there is some
behavior that would have to change in regards to how cygwin acls +
permissions behave, could it be based off an environment variable --
to use more compatible posix ACL's rather than sun ACL's?  

I may be showing a great deal of ignorance, but it seems that cygwin
is supposed to be a posix implementation -- wouldn't posix acls make
more sense?

Thanks...
Linda

next             reply	other threads:[~2020-09-09  6:55 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-09  6:55 L A Walsh [this message]
2020-09-09 17:08 ` Brian Inglis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5F587C4E.5090007@tlinx.org \
    --to=cygwin@tlinx.org \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).