Re: SMBFS mount's file cannot be made executable

Re: SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

> If it's related to the ACL handling then it should start working when
> you remove the ACL on the file with 'setfacl -kb ...'

There are no special ACLs set on the file (that was just produced by GCC from the source code, see my first email).

But I am now convinced that the problem is _entirely_ in Cygwin's corner:

When I open that file's the "Properties->Security" Windows tab, I can see that my permissions are "Read" and "Write", yet
"Read & Execute" is NOT checked.  When I check it, I see that the file becomes executable (the "x" bit) from both
Cygwin shell and on the Linux side, too.  And after that, I can execute the file from the Cygwin shell.

So what happens is that when "chmod" (or "creat" with a permission mask) is called, Cygwin does not honor the "x" bit(s) and does not convert it to
a corresponding proper ACL for the Windows mounted filesystem (and that ACL, in turn, would have been then sent to SMBD to get converted there back
to the "x" bit in the Unix world).  Once the "x" is there, Windows(via SMBD) obviously allows execution of the image.  Here's a related "bug":

https://forge.univention.org/bugzilla/show_bug.cgi?id=33785

I did not investigate in details how Cygwin handles the execute permission, but obviously there's something off.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Ken Brown]

On 8/13/2019 8:53 PM, Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin wrote:
>> If it's related to the ACL handling then it should start working when
>> you remove the ACL on the file with 'setfacl -kb ...'
> 
> There are no special ACLs set on the file (that was just produced by GCC from the source code, see my first email).

Have you checked the default ACL on the directory containing the file?

Ken

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Achim Gratz]

Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin writes:
>> If it's related to the ACL handling then it should start working when
>> you remove the ACL on the file with 'setfacl -kb ...'
>
> There are no special ACLs set on the file (that was just produced by
> GCC from the source code, see my first email).

You earlier showed this:

> $ ls -l a.exe
> -rw-rw-r--+ 1 lavr cppcore 157753 Aug 13 08:20 a.exe

See the '+' at the end of the modes?  That's telling you that there is
an ACL added to the file and the modes are the result of combining thje
actual mode bits with the ACL.  As you said, gcc won't add any ACL by
itself, so these ACL are the result of inheritable / default ACL.

> But I am now convinced that the problem is _entirely_ in Cygwin's corner:

Maybe, but we'd still need to know how to get to the result you're seeing.

> When I open that file's the "Properties->Security" Windows tab, I can
> see that my permissions are "Read" and "Write", yet "Read & Execute"
> is NOT checked.  When I check it, I see that the file becomes
> executable (the "x" bit) from both Cygwin shell and on the Linux side,
> too.  And after that, I can execute the file from the Cygwin shell.

I hope it's clear to you that the permissions you see on this tab have
nothing to do with the POSIX mode bits you're trying to set from Cygwin.

> So what happens is that when "chmod" (or "creat" with a permission
> mask) is called, Cygwin does not honor the "x" bit(s) and does not
> convert it to a corresponding proper ACL for the Windows mounted
> filesystem (and that ACL, in turn, would have been then sent to SMBD
> to get converted there back to the "x" bit in the Unix world).  Once
> the "x" is there, Windows(via SMBD) obviously allows execution of the
> image.  Here's a related "bug":

Most often that is the result of an inherited ACL mask that clears that
bit.  Correcting either the default ACL or removing it should then make
that problem go away.  Default ACL are associated with the parent
directory and you're unlikely to be able to change the parent directory
modes if it's the root of a file system exported from a filer.  Try
again in a subdirectory and clear the default ACL with 'setfacl -kb' on
that directory before you start doing anything there.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Dec  8 08:13, Takashi Yano via Cygwin wrote:
> On Tue, 19 Nov 2024 21:54:44 +0100
> Corinna Vinschen wrote:
> > No, we can't do that, it's too simple.
> > 
> > Just kidding.
> > 
> > This is so simple, I'm puzzled we never tried that before.  Or, if we
> > did, it's a loooong time ago...
> > 
> > If we really do this, we don't even need to call get_file_sd().  And it
> > should use NtOpenFile and reopen semantics i.e.  pc.init_reopen_attr().
> > Also, the sharing flags should allow all access.  And the `effective'
> > argument needs to be taken into account.
> 
> I have a question. What pc.init_reopen_attr() is for? I tested with
> pc.get_object_attr() instead, it works.

init_reopen_attr() uses the "open by handle" functionality as in the
Win32 API ReOpenFile().  It only does so if the filesystem supports it.
Samba usually does, so it's not clear to me why pc.init_reopen_attr()
fails for you.

> What handle should I pass to pc.init_reopen_attr()?

You could pass pc.handle().  Is pc.handle() in this scenario NULL,
perhaps?

> @@ -709,12 +615,44 @@ check_file_access (path_conv &pc, int flags, bool effective)
>      desired |= FILE_WRITE_DATA;
>    if (flags & X_OK)
>      desired |= FILE_EXECUTE;
> -  if (!get_file_sd (pc.handle (), pc, sd, false))
> +
> +  NTSTATUS status;
> +  if (!effective && cygheap->user.issetuid ())
> +    {
> +      /* Strip impersonation token temporarily */
> +      HANDLE tok = NO_IMPERSONATION;
> +      status = NtSetInformationThread (GetCurrentThread (),
> +				       ThreadImpersonationToken,
> +				       &tok, sizeof (tok));
> +      if (!NT_SUCCESS (status))
> +	{
> +	  debug_printf("NtSetInformationThread() for stripping "
> +		       "impersonation token failed: %y", status);
> +	  __seterrno_from_nt_status (status);
> +	  return ret;
> +	}
> +    }

You can simplify this:

	if (!effective)
	  cygheap->user.deimpersonate ();
   
> +  if (!effective && cygheap->user.issetuid ())
> +    {
> +      /* Recover impersonation token */
> +      HANDLE tok = cygheap->user.imp_token () ?: hProcImpToken;
> +      status = NtSetInformationThread (GetCurrentThread (),
> +				       ThreadImpersonationToken,
> +				       &tok, sizeof (tok));
> +      if (!NT_SUCCESS (status))
> +	debug_printf("NtSetInformationThread() for recovering "
> +		     "impersonation token failed: %y", status);
>      }

And this:

	if (!effective)
	  cygheap->user.reimpersonate ();

But please let's move to cygwin-patches for this.


Thanks,
Corinna

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Sun, 8 Dec 2024 08:13:38 +0900
Takashi Yano wrote:
> On Tue, 19 Nov 2024 21:54:44 +0100
> Corinna Vinschen wrote:
> > On Nov 19 17:58, Takashi Yano via Cygwin wrote:
> > > On Mon, 18 Nov 2024 17:26:12 +0100
> > > Corinna Vinschen wrote:
> > > > We can safely assume that the current user is already authorized on the
> > > > SMB server.  So... shouldn't AuthzInitializeResourceManager be
> > > > sufficient and the code from class authz_ctx already does what we want?
> > > > We may just have to use in in place of calling NtCheckAccess(),
> > > > maybe with a tweak or two...
> > > 
> > > I already tried AuthzInitializeResourceManager(), but the result
> > > was the same with current implementation...
> > 
> > So you tried to call authz_get_user_attribute()?
> 
> Yes. But resulted in the same.
> 
> > > BTW, I come up with another implementation. This make the things
> > > much simpler. What do you think of the patch attached?
> > 
> > > [...]
> > >  int
> > >  check_file_access (path_conv &pc, int flags, bool effective)
> > >  {
> > > @@ -711,10 +618,14 @@ check_file_access (path_conv &pc, int flags, bool effective)
> > >      desired |= FILE_EXECUTE;
> > >    if (!get_file_sd (pc.handle (), pc, sd, false))
> > >      {
> > > -      /* Tweak Samba security descriptor as necessary. */
> > > -      if (pc.fs_is_samba ())
> > > -	convert_samba_sd (sd);
> > > -      ret = check_access (sd, file_mapping, desired, flags, effective);
> > > +      HANDLE h = CreateFileW (pc.get_nt_native_path ()->Buffer, desired,
> > > +			      0, NULL, OPEN_EXISTING,
> > > +			      FILE_FLAG_BACKUP_SEMANTICS, NULL);
> > > +      if (h != INVALID_HANDLE_VALUE)
> > > +	{
> > > +	  CloseHandle (h);
> > > +	  ret = 0;
> > > +	}
> > >      }
> > >    debug_printf ("flags %y, ret %d", flags, ret);
> > >    return ret;
> > 
> > No, we can't do that, it's too simple.
> > 
> > Just kidding.
> > 
> > This is so simple, I'm puzzled we never tried that before.  Or, if we
> > did, it's a loooong time ago...
> > 
> > If we really do this, we don't even need to call get_file_sd().  And it
> > should use NtOpenFile and reopen semantics i.e.  pc.init_reopen_attr().
> > Also, the sharing flags should allow all access.  And the `effective'
> > argument needs to be taken into account.
> 
> I have a question. What pc.init_reopen_attr() is for? I tested with
> pc.get_object_attr() instead, it works. What handle should I pass
> to pc.init_reopen_attr()?
> 
> Anyway, I revised the patch as attached. What do you think?

diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
index fcc5e1ff7..68e7fd9e1 100644
--- a/winsup/cygwin/sec/base.cc
+++ b/winsup/cygwin/sec/base.cc
@@ -643,6 +643,8 @@ check_file_access (path_conv &pc, int flags, bool effective)
       NtClose (h);
       ret = 0;
     }
+  else
+    __seterrno_from_nt_status (status);
   if (!effective && cygheap->user.issetuid ())
     {
       /* Recover impersonation token */

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

[-- Attachment #1: Type: text/plain, Size: 2382 bytes --]

On Tue, 19 Nov 2024 21:54:44 +0100
Corinna Vinschen wrote:
> On Nov 19 17:58, Takashi Yano via Cygwin wrote:
> > On Mon, 18 Nov 2024 17:26:12 +0100
> > Corinna Vinschen wrote:
> > > We can safely assume that the current user is already authorized on the
> > > SMB server.  So... shouldn't AuthzInitializeResourceManager be
> > > sufficient and the code from class authz_ctx already does what we want?
> > > We may just have to use in in place of calling NtCheckAccess(),
> > > maybe with a tweak or two...
> > 
> > I already tried AuthzInitializeResourceManager(), but the result
> > was the same with current implementation...
> 
> So you tried to call authz_get_user_attribute()?

Yes. But resulted in the same.

> > BTW, I come up with another implementation. This make the things
> > much simpler. What do you think of the patch attached?
> 
> > [...]
> >  int
> >  check_file_access (path_conv &pc, int flags, bool effective)
> >  {
> > @@ -711,10 +618,14 @@ check_file_access (path_conv &pc, int flags, bool effective)
> >      desired |= FILE_EXECUTE;
> >    if (!get_file_sd (pc.handle (), pc, sd, false))
> >      {
> > -      /* Tweak Samba security descriptor as necessary. */
> > -      if (pc.fs_is_samba ())
> > -	convert_samba_sd (sd);
> > -      ret = check_access (sd, file_mapping, desired, flags, effective);
> > +      HANDLE h = CreateFileW (pc.get_nt_native_path ()->Buffer, desired,
> > +			      0, NULL, OPEN_EXISTING,
> > +			      FILE_FLAG_BACKUP_SEMANTICS, NULL);
> > +      if (h != INVALID_HANDLE_VALUE)
> > +	{
> > +	  CloseHandle (h);
> > +	  ret = 0;
> > +	}
> >      }
> >    debug_printf ("flags %y, ret %d", flags, ret);
> >    return ret;
> 
> No, we can't do that, it's too simple.
> 
> Just kidding.
> 
> This is so simple, I'm puzzled we never tried that before.  Or, if we
> did, it's a loooong time ago...
> 
> If we really do this, we don't even need to call get_file_sd().  And it
> should use NtOpenFile and reopen semantics i.e.  pc.init_reopen_attr().
> Also, the sharing flags should allow all access.  And the `effective'
> argument needs to be taken into account.

I have a question. What pc.init_reopen_attr() is for? I tested with
pc.get_object_attr() instead, it works. What handle should I pass
to pc.init_reopen_attr()?

Anyway, I revised the patch as attached. What do you think?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

[-- Attachment #2: 0001-Cygwin-access-Correction-for-samba-SMB-share.patch --]
[-- Type: text/plain, Size: 6366 bytes --]

From 777bdf75527f353ac83317a82e38794206bb6dd5 Mon Sep 17 00:00:00 2001
From: Takashi Yano <takashi.yano@nifty.ne.jp>
Date: Sun, 8 Dec 2024 07:34:48 +0900
Subject: [PATCH] Cygwin: access: Correction for samba/SMB share

Previously, access() and eaccess() does not determine the permissions
for files on samba/SMB share. Even if the user logs-in as the owner
of the file, access() and eaccess() referes to others' permissions.
With this patch, to determine the permissions correctly, NtOpenFile()
with desired access mask is used.

Fixes: cf762b08cfb0 ("* security.cc (check_file_access): Create.")
Reviewed-by: Corinna Vinschen <corinna@vinschen.de>
Signed-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>
---
 winsup/cygwin/sec/base.cc | 136 +++++++++++---------------------------
 1 file changed, 37 insertions(+), 99 deletions(-)

diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
index d5e39d281..fcc5e1ff7 100644
--- a/winsup/cygwin/sec/base.cc
+++ b/winsup/cygwin/sec/base.cc
@@ -28,10 +28,6 @@ details. */
 				  | GROUP_SECURITY_INFORMATION \
 				  | OWNER_SECURITY_INFORMATION)
 
-static GENERIC_MAPPING NO_COPY_RO file_mapping = { FILE_GENERIC_READ,
-						   FILE_GENERIC_WRITE,
-						   FILE_GENERIC_EXECUTE,
-						   FILE_ALL_ACCESS };
 LONG
 get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd,
 	     bool justcreated)
@@ -608,99 +604,9 @@ check_access (security_descriptor &sd, GENERIC_MAPPING &mapping,
   return ret;
 }
 
-/* Samba override.  Check security descriptor for Samba UNIX user and group
-   accounts and check if we have an RFC 2307 mapping to a Windows account.
-   Create a new security descriptor with all of the UNIX accounts with
-   valid mapping replaced with their Windows counterpart. */
-static void
-convert_samba_sd (security_descriptor &sd_ret)
-{
-  NTSTATUS status;
-  BOOLEAN dummy;
-  PSID sid;
-  cygsid owner;
-  cygsid group;
-  SECURITY_DESCRIPTOR sd;
-  cyg_ldap cldap;
-  tmp_pathbuf tp;
-  PACL acl, oacl;
-  size_t acl_len;
-  PACCESS_ALLOWED_ACE ace;
-
-  if (!NT_SUCCESS (RtlGetOwnerSecurityDescriptor (sd_ret, &sid, &dummy)))
-    return;
-  owner = sid;
-  if (!NT_SUCCESS (RtlGetGroupSecurityDescriptor (sd_ret, &sid, &dummy)))
-    return;
-  group = sid;
-
-  if (sid_id_auth (owner) == 22)
-    {
-      struct passwd *pwd;
-      uid_t uid = owner.get_uid (&cldap);
-      if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
-	owner.getfrompw (pwd);
-    }
-  if (sid_id_auth (group) == 22)
-    {
-      struct group *grp;
-      gid_t gid = group.get_gid (&cldap);
-      if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
-	group.getfromgr (grp);
-    }
-
-  if (!NT_SUCCESS (RtlGetDaclSecurityDescriptor (sd_ret, &dummy,
-						 &oacl, &dummy)))
-    return;
-  acl = (PACL) tp.w_get ();
-  RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);
-  acl_len = sizeof (ACL);
-
-  for (DWORD i = 0; i < oacl->AceCount; ++i)
-    if (NT_SUCCESS (RtlGetAce (oacl, i, (PVOID *) &ace)))
-      {
-	cygsid ace_sid ((PSID) &ace->SidStart);
-	if (sid_id_auth (ace_sid) == 22)
-	  {
-	    if (sid_sub_auth (ace_sid, 0) == 1) /* user */
-	      {
-		struct passwd *pwd;
-		uid_t uid = ace_sid.get_uid (&cldap);
-		if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
-		  ace_sid.getfrompw (pwd);
-	      }
-	    else if (sid_sub_auth (ace_sid, 0) == 2) /* group */
-	      {
-		struct group *grp;
-		gid_t gid = ace_sid.get_gid (&cldap);
-		if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
-		  ace_sid.getfromgr (grp);
-	      }
-	  }
-	if (!add_access_allowed_ace (acl, ace->Mask, ace_sid, acl_len,
-				     ace->Header.AceFlags))
-	  return;
-      }
-  acl->AclSize = acl_len;
-
-  RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
-  RtlSetControlSecurityDescriptor (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
-  RtlSetOwnerSecurityDescriptor (&sd, owner, FALSE);
-  RtlSetGroupSecurityDescriptor (&sd, group, FALSE);
-
-  status = RtlSetDaclSecurityDescriptor (&sd, TRUE, acl, FALSE);
-  if (!NT_SUCCESS (status))
-    return;
-  DWORD sd_size = 0;
-  status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
-  if (sd_size > 0 && sd_ret.malloc (sd_size))
-    RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
-}
-
 int
 check_file_access (path_conv &pc, int flags, bool effective)
 {
-  security_descriptor sd;
   int ret = -1;
   ACCESS_MASK desired = 0;
   if (flags & R_OK)
@@ -709,12 +615,44 @@ check_file_access (path_conv &pc, int flags, bool effective)
     desired |= FILE_WRITE_DATA;
   if (flags & X_OK)
     desired |= FILE_EXECUTE;
-  if (!get_file_sd (pc.handle (), pc, sd, false))
+
+  NTSTATUS status;
+  if (!effective && cygheap->user.issetuid ())
+    {
+      /* Strip impersonation token temporarily */
+      HANDLE tok = NO_IMPERSONATION;
+      status = NtSetInformationThread (GetCurrentThread (),
+				       ThreadImpersonationToken,
+				       &tok, sizeof (tok));
+      if (!NT_SUCCESS (status))
+	{
+	  debug_printf("NtSetInformationThread() for stripping "
+		       "impersonation token failed: %y", status);
+	  __seterrno_from_nt_status (status);
+	  return ret;
+	}
+    }
+  OBJECT_ATTRIBUTES attr;
+  pc.get_object_attr (attr, sec_none_nih);
+  IO_STATUS_BLOCK io;
+  HANDLE h;
+  status = NtOpenFile (&h, desired, &attr, &io, FILE_SHARE_VALID_FLAGS,
+		       FILE_OPEN_FOR_BACKUP_INTENT);
+  if (NT_SUCCESS (status))
     {
-      /* Tweak Samba security descriptor as necessary. */
-      if (pc.fs_is_samba ())
-	convert_samba_sd (sd);
-      ret = check_access (sd, file_mapping, desired, flags, effective);
+      NtClose (h);
+      ret = 0;
+    }
+  if (!effective && cygheap->user.issetuid ())
+    {
+      /* Recover impersonation token */
+      HANDLE tok = cygheap->user.imp_token () ?: hProcImpToken;
+      status = NtSetInformationThread (GetCurrentThread (),
+				       ThreadImpersonationToken,
+				       &tok, sizeof (tok));
+      if (!NT_SUCCESS (status))
+	debug_printf("NtSetInformationThread() for recovering "
+		     "impersonation token failed: %y", status);
     }
   debug_printf ("flags %y, ret %d", flags, ret);
   return ret;
-- 
2.45.1

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Nov 19 17:58, Takashi Yano via Cygwin wrote:
> On Mon, 18 Nov 2024 17:26:12 +0100
> Corinna Vinschen wrote:
> > We can safely assume that the current user is already authorized on the
> > SMB server.  So... shouldn't AuthzInitializeResourceManager be
> > sufficient and the code from class authz_ctx already does what we want?
> > We may just have to use in in place of calling NtCheckAccess(),
> > maybe with a tweak or two...
> 
> I already tried AuthzInitializeResourceManager(), but the result
> was the same with current implementation...

So you tried to call authz_get_user_attribute()?

> BTW, I come up with another implementation. This make the things
> much simpler. What do you think of the patch attached?

> [...]
>  int
>  check_file_access (path_conv &pc, int flags, bool effective)
>  {
> @@ -711,10 +618,14 @@ check_file_access (path_conv &pc, int flags, bool effective)
>      desired |= FILE_EXECUTE;
>    if (!get_file_sd (pc.handle (), pc, sd, false))
>      {
> -      /* Tweak Samba security descriptor as necessary. */
> -      if (pc.fs_is_samba ())
> -	convert_samba_sd (sd);
> -      ret = check_access (sd, file_mapping, desired, flags, effective);
> +      HANDLE h = CreateFileW (pc.get_nt_native_path ()->Buffer, desired,
> +			      0, NULL, OPEN_EXISTING,
> +			      FILE_FLAG_BACKUP_SEMANTICS, NULL);
> +      if (h != INVALID_HANDLE_VALUE)
> +	{
> +	  CloseHandle (h);
> +	  ret = 0;
> +	}
>      }
>    debug_printf ("flags %y, ret %d", flags, ret);
>    return ret;

No, we can't do that, it's too simple.

Just kidding.

This is so simple, I'm puzzled we never tried that before.  Or, if we
did, it's a loooong time ago...

If we really do this, we don't even need to call get_file_sd().  And it
should use NtOpenFile and reopen semantics i.e.  pc.init_reopen_attr().
Also, the sharing flags should allow all access.  And the `effective'
argument needs to be taken into account.

I wonder what side effects this has, but I can't think of any...

And I don't see any way around that, actually.  {Nt}AccessCheck
as well as AuthzAccessCheck(*) use a token/sid context and compare
that against a security descriptor.  Both don't care where the
SD is coming from, so the fact that this is coming from an
authenticated connection to a remote SMB server is just lost on them.
There's no simple CheckFileAccess function in the Windows API I'm
aware of :(


Thanks,
Corinna

(*) I wonder if AuthzAccessCheck isn't implemented using NtAccessCheck
    under the hood...

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

[-- Attachment #1: Type: text/plain, Size: 2699 bytes --]

On Mon, 18 Nov 2024 17:26:12 +0100
Corinna Vinschen wrote:
> On Nov 16 00:21, Takashi Yano via Cygwin wrote:
> > I built a test program, whose important part is:
> > 
> >   AUTHZ_RESOURCE_MANAGER_HANDLE hManager = NULL;
> >   AUTHZ_CLIENT_CONTEXT_HANDLE hClient = NULL;
> >   AUTHZ_ACCESS_REQUEST AccessRequest = {0};
> >   AUTHZ_ACCESS_REPLY AccessReply = {0};
> > 
> >   AUTHZ_RPC_INIT_INFO_CLIENT authzRpcInitInfoClient = {0};
> > 
> >   WCHAR ObjectUuid[] = L"9a81c2bd-a525-471d-a4ed-49907c0b23da";
> >   WCHAR ProtSeq[] = L"ncacn_ip_tcp";
> >   WCHAR NetworkAddr[] = L"localhost";
> >   WCHAR Endpoint[] = L"135";
> > 
> >   authzRpcInitInfoClient.version = AUTHZ_INIT_INFO_VERSION_V1;
> >   authzRpcInitInfoClient.ObjectUuid = ObjectUuid;
> >   authzRpcInitInfoClient.ProtSeq = ProtSeq;
> >   authzRpcInitInfoClient.NetworkAddr = NetworkAddr;
> >   authzRpcInitInfoClient.Endpoint = Endpoint;
> > 
> >   AuthzInitializeRemoteResourceManager (&authzRpcInitInfoClient, &hManager);
> > 
> >   char buf[1024];
> >   PTOKEN_USER pTokenUser = (PTOKEN_USER) buf;
> >   DWORD len;
> > 
> >   GetTokenInformation(hToken, TokenUser, pTokenUser, 1024, &len);
> > 
> >   LUID luid = {0,};
> >   AuthzInitializeContextFromSid(0, pTokenUser->User.Sid, hManager,
> >                                 NULL, luid, NULL, &hClient);
> > 
> > 
> > This test code fails at AuthzInitializeContextFromSid() with
> > RPC_S_UNKNOWN_IF. If AuthzInitializeRemoteResourceManager()
> > is replaced with AuthzInitializeResourceManager(), the error
> > does not occur.
> > 
> > I searched the combination of AuthzInitializeContextFromSid()
> > and RPC_S_UNKNOWN_IF, however nothing was found.
> 
> RPC_S_UNKNOWN_IF means "unknown interface".  I assume this error has
> nothing to do with AuthzInitializeContextFromSid(), but with the
> AuthzInitializeRemoteResourceManager() call.
> 
> What I failed, though, is to find a working example for
> AuthzInitializeRemoteResourceManager().
> 
> > Any suggestion would be appreciated.
> 
> As I said in my previous posting, maybe we don't really need
> AuthzInitializeRemoteResourceManager().
> 
> We can safely assume that the current user is already authorized on the
> SMB server.  So... shouldn't AuthzInitializeResourceManager be
> sufficient and the code from class authz_ctx already does what we want?
> We may just have to use in in place of calling NtCheckAccess(),
> maybe with a tweak or two...

I already tried AuthzInitializeResourceManager(), but the result
was the same with current implementation...

BTW, I come up with another implementation. This make the things
much simpler. What do you think of the patch attached?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

[-- Attachment #2: smb.patch --]
[-- Type: text/plain, Size: 4312 bytes --]

diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
index d5e39d281..c460fecc4 100644
--- a/winsup/cygwin/sec/base.cc
+++ b/winsup/cygwin/sec/base.cc
@@ -28,10 +28,6 @@ details. */
 				  | GROUP_SECURITY_INFORMATION \
 				  | OWNER_SECURITY_INFORMATION)
 
-static GENERIC_MAPPING NO_COPY_RO file_mapping = { FILE_GENERIC_READ,
-						   FILE_GENERIC_WRITE,
-						   FILE_GENERIC_EXECUTE,
-						   FILE_ALL_ACCESS };
 LONG
 get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd,
 	     bool justcreated)
@@ -608,95 +604,6 @@ check_access (security_descriptor &sd, GENERIC_MAPPING &mapping,
   return ret;
 }
 
-/* Samba override.  Check security descriptor for Samba UNIX user and group
-   accounts and check if we have an RFC 2307 mapping to a Windows account.
-   Create a new security descriptor with all of the UNIX accounts with
-   valid mapping replaced with their Windows counterpart. */
-static void
-convert_samba_sd (security_descriptor &sd_ret)
-{
-  NTSTATUS status;
-  BOOLEAN dummy;
-  PSID sid;
-  cygsid owner;
-  cygsid group;
-  SECURITY_DESCRIPTOR sd;
-  cyg_ldap cldap;
-  tmp_pathbuf tp;
-  PACL acl, oacl;
-  size_t acl_len;
-  PACCESS_ALLOWED_ACE ace;
-
-  if (!NT_SUCCESS (RtlGetOwnerSecurityDescriptor (sd_ret, &sid, &dummy)))
-    return;
-  owner = sid;
-  if (!NT_SUCCESS (RtlGetGroupSecurityDescriptor (sd_ret, &sid, &dummy)))
-    return;
-  group = sid;
-
-  if (sid_id_auth (owner) == 22)
-    {
-      struct passwd *pwd;
-      uid_t uid = owner.get_uid (&cldap);
-      if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
-	owner.getfrompw (pwd);
-    }
-  if (sid_id_auth (group) == 22)
-    {
-      struct group *grp;
-      gid_t gid = group.get_gid (&cldap);
-      if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
-	group.getfromgr (grp);
-    }
-
-  if (!NT_SUCCESS (RtlGetDaclSecurityDescriptor (sd_ret, &dummy,
-						 &oacl, &dummy)))
-    return;
-  acl = (PACL) tp.w_get ();
-  RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);
-  acl_len = sizeof (ACL);
-
-  for (DWORD i = 0; i < oacl->AceCount; ++i)
-    if (NT_SUCCESS (RtlGetAce (oacl, i, (PVOID *) &ace)))
-      {
-	cygsid ace_sid ((PSID) &ace->SidStart);
-	if (sid_id_auth (ace_sid) == 22)
-	  {
-	    if (sid_sub_auth (ace_sid, 0) == 1) /* user */
-	      {
-		struct passwd *pwd;
-		uid_t uid = ace_sid.get_uid (&cldap);
-		if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
-		  ace_sid.getfrompw (pwd);
-	      }
-	    else if (sid_sub_auth (ace_sid, 0) == 2) /* group */
-	      {
-		struct group *grp;
-		gid_t gid = ace_sid.get_gid (&cldap);
-		if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
-		  ace_sid.getfromgr (grp);
-	      }
-	  }
-	if (!add_access_allowed_ace (acl, ace->Mask, ace_sid, acl_len,
-				     ace->Header.AceFlags))
-	  return;
-      }
-  acl->AclSize = acl_len;
-
-  RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
-  RtlSetControlSecurityDescriptor (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
-  RtlSetOwnerSecurityDescriptor (&sd, owner, FALSE);
-  RtlSetGroupSecurityDescriptor (&sd, group, FALSE);
-
-  status = RtlSetDaclSecurityDescriptor (&sd, TRUE, acl, FALSE);
-  if (!NT_SUCCESS (status))
-    return;
-  DWORD sd_size = 0;
-  status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
-  if (sd_size > 0 && sd_ret.malloc (sd_size))
-    RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
-}
-
 int
 check_file_access (path_conv &pc, int flags, bool effective)
 {
@@ -711,10 +618,14 @@ check_file_access (path_conv &pc, int flags, bool effective)
     desired |= FILE_EXECUTE;
   if (!get_file_sd (pc.handle (), pc, sd, false))
     {
-      /* Tweak Samba security descriptor as necessary. */
-      if (pc.fs_is_samba ())
-	convert_samba_sd (sd);
-      ret = check_access (sd, file_mapping, desired, flags, effective);
+      HANDLE h = CreateFileW (pc.get_nt_native_path ()->Buffer, desired,
+			      0, NULL, OPEN_EXISTING,
+			      FILE_FLAG_BACKUP_SEMANTICS, NULL);
+      if (h != INVALID_HANDLE_VALUE)
+	{
+	  CloseHandle (h);
+	  ret = 0;
+	}
     }
   debug_printf ("flags %y, ret %d", flags, ret);
   return ret;

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Nov 16 00:21, Takashi Yano via Cygwin wrote:
> I built a test program, whose important part is:
> 
>   AUTHZ_RESOURCE_MANAGER_HANDLE hManager = NULL;
>   AUTHZ_CLIENT_CONTEXT_HANDLE hClient = NULL;
>   AUTHZ_ACCESS_REQUEST AccessRequest = {0};
>   AUTHZ_ACCESS_REPLY AccessReply = {0};
> 
>   AUTHZ_RPC_INIT_INFO_CLIENT authzRpcInitInfoClient = {0};
> 
>   WCHAR ObjectUuid[] = L"9a81c2bd-a525-471d-a4ed-49907c0b23da";
>   WCHAR ProtSeq[] = L"ncacn_ip_tcp";
>   WCHAR NetworkAddr[] = L"localhost";
>   WCHAR Endpoint[] = L"135";
> 
>   authzRpcInitInfoClient.version = AUTHZ_INIT_INFO_VERSION_V1;
>   authzRpcInitInfoClient.ObjectUuid = ObjectUuid;
>   authzRpcInitInfoClient.ProtSeq = ProtSeq;
>   authzRpcInitInfoClient.NetworkAddr = NetworkAddr;
>   authzRpcInitInfoClient.Endpoint = Endpoint;
> 
>   AuthzInitializeRemoteResourceManager (&authzRpcInitInfoClient, &hManager);
> 
>   char buf[1024];
>   PTOKEN_USER pTokenUser = (PTOKEN_USER) buf;
>   DWORD len;
> 
>   GetTokenInformation(hToken, TokenUser, pTokenUser, 1024, &len);
> 
>   LUID luid = {0,};
>   AuthzInitializeContextFromSid(0, pTokenUser->User.Sid, hManager,
>                                 NULL, luid, NULL, &hClient);
> 
> 
> This test code fails at AuthzInitializeContextFromSid() with
> RPC_S_UNKNOWN_IF. If AuthzInitializeRemoteResourceManager()
> is replaced with AuthzInitializeResourceManager(), the error
> does not occur.
> 
> I searched the combination of AuthzInitializeContextFromSid()
> and RPC_S_UNKNOWN_IF, however nothing was found.

RPC_S_UNKNOWN_IF means "unknown interface".  I assume this error has
nothing to do with AuthzInitializeContextFromSid(), but with the
AuthzInitializeRemoteResourceManager() call.

What I failed, though, is to find a working example for
AuthzInitializeRemoteResourceManager().

> Any suggestion would be appreciated.

As I said in my previous posting, maybe we don't really need
AuthzInitializeRemoteResourceManager().

We can safely assume that the current user is already authorized on the
SMB server.  So... shouldn't AuthzInitializeResourceManager be
sufficient and the code from class authz_ctx already does what we want?
We may just have to use in in place of calling NtCheckAccess(),
maybe with a tweak or two...


Corinna

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Thu, 14 Nov 2024 01:08:07 +0900
Takashi Yano wrote:
> On Wed, 13 Nov 2024 08:58:21 -0700
> Bill Stewart wrote:
> > On Wed, Nov 13, 2024 at 8:38 AM Takashi Yano via Cygwin wrote:
> > 
> > Thanks. However, even after reading the document, I still didn't
> > > understand what strings I should set the members for auth for SMB...
> > >
> > > For example, as for Endpoint, the example for ncacn_np is mentioned,
> > > but not for ncacn_ip_tcp.
> > >
> > 
> > Perhaps this might help?
> > 
> >  https://learn.microsoft.com/en-us/windows/win32/rpc/string-binding
> 
> Thanks! I do not read it yet, however, it seems to help much.

I built a test program, whose important part is:

  AUTHZ_RESOURCE_MANAGER_HANDLE hManager = NULL;
  AUTHZ_CLIENT_CONTEXT_HANDLE hClient = NULL;
  AUTHZ_ACCESS_REQUEST AccessRequest = {0};
  AUTHZ_ACCESS_REPLY AccessReply = {0};

  AUTHZ_RPC_INIT_INFO_CLIENT authzRpcInitInfoClient = {0};

  WCHAR ObjectUuid[] = L"9a81c2bd-a525-471d-a4ed-49907c0b23da";
  WCHAR ProtSeq[] = L"ncacn_ip_tcp";
  WCHAR NetworkAddr[] = L"localhost";
  WCHAR Endpoint[] = L"135";

  authzRpcInitInfoClient.version = AUTHZ_INIT_INFO_VERSION_V1;
  authzRpcInitInfoClient.ObjectUuid = ObjectUuid;
  authzRpcInitInfoClient.ProtSeq = ProtSeq;
  authzRpcInitInfoClient.NetworkAddr = NetworkAddr;
  authzRpcInitInfoClient.Endpoint = Endpoint;

  AuthzInitializeRemoteResourceManager (&authzRpcInitInfoClient, &hManager);

  char buf[1024];
  PTOKEN_USER pTokenUser = (PTOKEN_USER) buf;
  DWORD len;

  GetTokenInformation(hToken, TokenUser, pTokenUser, 1024, &len);

  LUID luid = {0,};
  AuthzInitializeContextFromSid(0, pTokenUser->User.Sid, hManager,
                                NULL, luid, NULL, &hClient);


This test code fails at AuthzInitializeContextFromSid() with
RPC_S_UNKNOWN_IF. If AuthzInitializeRemoteResourceManager()
is replaced with AuthzInitializeResourceManager(), the error
does not occur.

I searched the combination of AuthzInitializeContextFromSid()
and RPC_S_UNKNOWN_IF, however nothing was found.

Any suggestion would be appreciated.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Wed, 13 Nov 2024 08:58:21 -0700
Bill Stewart wrote:
> On Wed, Nov 13, 2024 at 8:38 AM Takashi Yano via Cygwin wrote:
> 
> Thanks. However, even after reading the document, I still didn't
> > understand what strings I should set the members for auth for SMB...
> >
> > For example, as for Endpoint, the example for ncacn_np is mentioned,
> > but not for ncacn_ip_tcp.
> >
> 
> Perhaps this might help?
> 
>  https://learn.microsoft.com/en-us/windows/win32/rpc/string-binding

Thanks! I do not read it yet, however, it seems to help much.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Bill Stewart]

[-- Attachment #1: Type: text/plain, Size: 412 bytes --]

On Wed, Nov 13, 2024 at 8:38 AM Takashi Yano via Cygwin wrote:

Thanks. However, even after reading the document, I still didn't
> understand what strings I should set the members for auth for SMB...
>
> For example, as for Endpoint, the example for ncacn_np is mentioned,
> but not for ncacn_ip_tcp.
>

Perhaps this might help?

 https://learn.microsoft.com/en-us/windows/win32/rpc/string-binding

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Wed, 13 Nov 2024 08:10:52 -0700
Bill Stewart wrote:
> On Wed, Nov 13, 2024 at 2:18 AM Takashi Yano via Cygwin wrote:
> 
> I'm working on this, however, I stuck on setting the first parameter
> > of AuthzInitializeRemoteResourceManager(). The most members of structure
> > AUTHZ_RPC_INIT_INFO_CLIENT are PWSTR, and I have no idea what kind of
> > string should be set to each member. Especially Endpoint and ServerSpn.
> >
> > typedef struct _AUTHZ_RPC_INIT_INFO_CLIENT {
> >   USHORT version;
> >   PWSTR  ObjectUuid;
> >   PWSTR  ProtSeq;
> >   PWSTR  NetworkAddr;
> >   PWSTR  Endpoint;
> >   PWSTR  Options;
> >   PWSTR  ServerSpn;
> > } AUTHZ_RPC_INIT_INFO_CLIENT, *PAUTHZ_RPC_INIT_INFO_CLIENT;
> >
> > Do you have any idea?
> >
> 
> Does this help?
> 
> https://learn.microsoft.com/en-us/windows/win32/api/authz/ns-authz-authz_rpc_init_info_client

Thanks. However, even after reading the document, I still didn't
understand what strings I should set the members for auth for SMB...

For example, as for Endpoint, the example for ncacn_np is mentioned,
but not for ncacn_ip_tcp.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Bill Stewart]

[-- Attachment #1: Type: text/plain, Size: 780 bytes --]

On Wed, Nov 13, 2024 at 2:18 AM Takashi Yano via Cygwin wrote:

I'm working on this, however, I stuck on setting the first parameter
> of AuthzInitializeRemoteResourceManager(). The most members of structure
> AUTHZ_RPC_INIT_INFO_CLIENT are PWSTR, and I have no idea what kind of
> string should be set to each member. Especially Endpoint and ServerSpn.
>
> typedef struct _AUTHZ_RPC_INIT_INFO_CLIENT {
>   USHORT version;
>   PWSTR  ObjectUuid;
>   PWSTR  ProtSeq;
>   PWSTR  NetworkAddr;
>   PWSTR  Endpoint;
>   PWSTR  Options;
>   PWSTR  ServerSpn;
> } AUTHZ_RPC_INIT_INFO_CLIENT, *PAUTHZ_RPC_INIT_INFO_CLIENT;
>
> Do you have any idea?
>

Does this help?

https://learn.microsoft.com/en-us/windows/win32/api/authz/ns-authz-authz_rpc_init_info_client

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

Hi Corinna,

On Tue, 12 Nov 2024 12:56:15 +0100
Corinna Vinschen wrote:
> On Nov 12 17:54, Takashi Yano via Cygwin wrote:
> > I noticed that the probelm is not only in samba share, but
> > also in Windows share.
> > 
> > Yesterday, I used shared resource of the root directory.
> > In that case, access right of Authenticated Users was enabled.
> > However, when I tried resource under the user folder, the access
> > right of Authenticated Users is not assigned as follows.
> > 
> > $ icacls '\\kappy3\Share\smb_shared_file.txt'
> > \\kappy3\Share\smb_shared_file.txt NULL SID:(DENY)(Rc,S,X,DC)
> >                                    S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
> >                                    NT AUTHORITY\SYSTEM:(DENY)(S,X)
> >                                    BUILTIN\Administrators:(DENY)(S,X)
> >                                    S-1-5-21-2089672436-4097686843-2104605006-513:(R)
> >                                    NT AUTHORITY\SYSTEM:(RX,W)
> >                                    BUILTIN\Administrators:(RX,W)
> >                                    Everyone:(R)
> > 
> > Successfully processed 1 files; Failed processing 0 files
> > 
> > $ ls -l //kappy3/Share/smb_shared_file.txt
> > -rw-r--r--+ 1 Unknown+User Unknown+Group 0 11月 12 15:50 //kappy3/Share/smb_shared_file.txt
> > 
> > $ /cygdrive/c/Windows/system32/whoami /USER
> > 
> > USER INFORMATION
> > ----------------
> > 
> > User Name    SID
> > ============ ==============================================
> > hp-z230\yano S-1-5-21-1515853178-1880514851-1804962447-1001
> > 
> > 
> > The file server is not in AD and uses offline account in Windows 11
> > (means no Microsoft Account). The client also uses offline account
> > in Windows 10 too.
> > The server and the client use the same user name and password, so
> > authentication is automatically done.
> 
> It's not *that* automatic.  Your user SIDs are still different on
> all standalone machines, so they are still different accounts, SID-wise.
> 
> > In this case, access() of the current cygwin wrongly refers to the
> > permissions for 'others'.
> > 
> > I wonder why the NtAccessCheck() can not handle this situation
> > correctly.
> 
> I really can't tell you, but there's
> https://learn.microsoft.com/en-us/windows/win32/secauthz/how-dacls-control-access-to-an-object
> So, apparently, NtAccessCheck only checks the DACL against the
> SID list in the user token.  In the above case, the ACL does not
> contain your user account, nor one of the groups you're member
> of.  So your account's access is the one for the Everyone entry.
> 
> > The process token does not have the privilege of the
> > SIDs in the server side even though the authentication has been
> > done by 'net use' command?
> 
> This is one of things puzzeling me for a while.  As soon as you
> authenticate to some standalone server for SMB, your access token should
> additionally contain the SID of the server account you authenticated as,
> at least for file access.  But that's not the case.
> 
> I just stumbled over
> https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/access-checks-windows-apis-return-incorrect-results
> 
> It seems to suggest to use AuthZ in a certain way to check permissions.
> Maybe we can replace NtAccessCheck with AuthZ?  If we're lucky, we might
> even get away with the already existing code in the authz_ctx class
> defined in sec/helper.cc.  If not, we may have to add another function
> method calling AuthzInitializeRemoteResourceManager instead of
> AuthzInitializeResourceManager.
> 
> Care to hack up a test?

I'm working on this, however, I stuck on setting the first parameter
of AuthzInitializeRemoteResourceManager(). The most members of structure
AUTHZ_RPC_INIT_INFO_CLIENT are PWSTR, and I have no idea what kind of
string should be set to each member. Especially Endpoint and ServerSpn.

typedef struct _AUTHZ_RPC_INIT_INFO_CLIENT {
  USHORT version;
  PWSTR  ObjectUuid;
  PWSTR  ProtSeq;
  PWSTR  NetworkAddr;
  PWSTR  Endpoint;
  PWSTR  Options;
  PWSTR  ServerSpn;
} AUTHZ_RPC_INIT_INFO_CLIENT, *PAUTHZ_RPC_INIT_INFO_CLIENT;

Do you have any idea?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Nov 12 17:54, Takashi Yano via Cygwin wrote:
> I noticed that the probelm is not only in samba share, but
> also in Windows share.
> 
> Yesterday, I used shared resource of the root directory.
> In that case, access right of Authenticated Users was enabled.
> However, when I tried resource under the user folder, the access
> right of Authenticated Users is not assigned as follows.
> 
> $ icacls '\\kappy3\Share\smb_shared_file.txt'
> \\kappy3\Share\smb_shared_file.txt NULL SID:(DENY)(Rc,S,X,DC)
>                                    S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
>                                    NT AUTHORITY\SYSTEM:(DENY)(S,X)
>                                    BUILTIN\Administrators:(DENY)(S,X)
>                                    S-1-5-21-2089672436-4097686843-2104605006-513:(R)
>                                    NT AUTHORITY\SYSTEM:(RX,W)
>                                    BUILTIN\Administrators:(RX,W)
>                                    Everyone:(R)
> 
> Successfully processed 1 files; Failed processing 0 files
> 
> $ ls -l //kappy3/Share/smb_shared_file.txt
> -rw-r--r--+ 1 Unknown+User Unknown+Group 0 11月 12 15:50 //kappy3/Share/smb_shared_file.txt
> 
> $ /cygdrive/c/Windows/system32/whoami /USER
> 
> USER INFORMATION
> ----------------
> 
> User Name    SID
> ============ ==============================================
> hp-z230\yano S-1-5-21-1515853178-1880514851-1804962447-1001
> 
> 
> The file server is not in AD and uses offline account in Windows 11
> (means no Microsoft Account). The client also uses offline account
> in Windows 10 too.
> The server and the client use the same user name and password, so
> authentication is automatically done.

It's not *that* automatic.  Your user SIDs are still different on
all standalone machines, so they are still different accounts, SID-wise.

> In this case, access() of the current cygwin wrongly refers to the
> permissions for 'others'.
> 
> I wonder why the NtAccessCheck() can not handle this situation
> correctly.

I really can't tell you, but there's
https://learn.microsoft.com/en-us/windows/win32/secauthz/how-dacls-control-access-to-an-object
So, apparently, NtAccessCheck only checks the DACL against the
SID list in the user token.  In the above case, the ACL does not
contain your user account, nor one of the groups you're member
of.  So your account's access is the one for the Everyone entry.

> The process token does not have the privilege of the
> SIDs in the server side even though the authentication has been
> done by 'net use' command?

This is one of things puzzeling me for a while.  As soon as you
authenticate to some standalone server for SMB, your access token should
additionally contain the SID of the server account you authenticated as,
at least for file access.  But that's not the case.

I just stumbled over
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/access-checks-windows-apis-return-incorrect-results

It seems to suggest to use AuthZ in a certain way to check permissions.
Maybe we can replace NtAccessCheck with AuthZ?  If we're lucky, we might
even get away with the already existing code in the authz_ctx class
defined in sec/helper.cc.  If not, we may have to add another function
method calling AuthzInitializeRemoteResourceManager instead of
AuthzInitializeResourceManager.

Care to hack up a test?


Corinna

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Nov 12 04:29, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 14:35:55 +0100
> Corinna Vinschen wrote:
> > On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 13:03:18 +0100
> > > Corinna Vinschen wrote:
> > > > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > > > Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > > > > > Even with this patch, the file:
> > > > > > 
> > > > > > yano $ touch samba_test_file.txt
> > > > > > yano $ ls -l samba_test_files.txt
> > > > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > > > 
> > > > > Oops! This was wrong.
> > > > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > > > 
> > > > That's Samba for you.  I applied your patch and created a file
> > > > on my share, and the Authenticated Users group was not in the
> > > > resulting ACL.  Only user, group, and Everyone.
> > > > 
> > > > Either way, I don't think this is the right thing to do.  Even if
> > > > the group isn't added to the ACL on my machine, it still loks like
> > > > a security problem in waiting.
> > > 
> > > Isn't this DACL here used only for access_check() (NtAccessCheck())?
> > > In my environment, the Authenticated Users does not appear in the ACL
> > > too.
> > 
> > Oh, yeah, right, *blush*.
> > 
> > But it's still not the right thing to do.  You convert the Samba ACL
> > to a Windows ACL which gives Authenticated Users full permissions.
> > So the check_access() function will return false positives, because
> > every authenticated user is in the Authenticated Users group and has
> > supposedly FILE_ALL_ACCESS.  Even if the actual function (read, write,
> > execute) will fail, the access() function will claim that every
> > authenticated user has RWX perms.
> 
> Ah, right. I have just confirmed that behaviour...
> 
> > AFAICS, the underlying problem is somehow the user mapping.  Did you
> > try with username map = /foo/bar?
> 
> Yes. However, my user name is 'yano' both in server (Linux) and
> client (Windows 10) side. So, I think there is no effect of
> 'username map'.

I have something like corinna = MY_DOMAIN\corinna in there.


Corinna

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Tue, 12 Nov 2024 04:29:37 +0900
Takashi Yano wrote:
> On Mon, 11 Nov 2024 14:35:55 +0100
> Corinna Vinschen wrote:
> > On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 13:03:18 +0100
> > > Corinna Vinschen wrote:
> > > > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > > > Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > > > > > Even with this patch, the file:
> > > > > > 
> > > > > > yano $ touch samba_test_file.txt
> > > > > > yano $ ls -l samba_test_files.txt
> > > > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > > > 
> > > > > Oops! This was wrong.
> > > > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > > > 
> > > > That's Samba for you.  I applied your patch and created a file
> > > > on my share, and the Authenticated Users group was not in the
> > > > resulting ACL.  Only user, group, and Everyone.
> > > > 
> > > > Either way, I don't think this is the right thing to do.  Even if
> > > > the group isn't added to the ACL on my machine, it still loks like
> > > > a security problem in waiting.
> > > 
> > > Isn't this DACL here used only for access_check() (NtAccessCheck())?
> > > In my environment, the Authenticated Users does not appear in the ACL
> > > too.
> > 
> > Oh, yeah, right, *blush*.
> > 
> > But it's still not the right thing to do.  You convert the Samba ACL
> > to a Windows ACL which gives Authenticated Users full permissions.
> > So the check_access() function will return false positives, because
> > every authenticated user is in the Authenticated Users group and has
> > supposedly FILE_ALL_ACCESS.  Even if the actual function (read, write,
> > execute) will fail, the access() function will claim that every
> > authenticated user has RWX perms.
> 
> Ah, right. I have just confirmed that behaviour...
> 
> > AFAICS, the underlying problem is somehow the user mapping.  Did you
> > try with username map = /foo/bar?
> 
> Yes. However, my user name is 'yano' both in server (Linux) and
> client (Windows 10) side. So, I think there is no effect of
> 'username map'.

I noticed that the probelm is not only in samba share, but
also in Windows share.

Yesterday, I used shared resource of the root directory.
In that case, access right of Authenticated Users was enabled.
However, when I tried resource under the user folder, the access
right of Authenticated Users is not assigned as follows.

$ icacls '\\kappy3\Share\smb_shared_file.txt'
\\kappy3\Share\smb_shared_file.txt NULL SID:(DENY)(Rc,S,X,DC)
                                   S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
                                   NT AUTHORITY\SYSTEM:(DENY)(S,X)
                                   BUILTIN\Administrators:(DENY)(S,X)
                                   S-1-5-21-2089672436-4097686843-2104605006-513:(R)
                                   NT AUTHORITY\SYSTEM:(RX,W)
                                   BUILTIN\Administrators:(RX,W)
                                   Everyone:(R)

Successfully processed 1 files; Failed processing 0 files

$ ls -l //kappy3/Share/smb_shared_file.txt
-rw-r--r--+ 1 Unknown+User Unknown+Group 0 11月 12 15:50 //kappy3/Share/smb_shared_file.txt

$ /cygdrive/c/Windows/system32/whoami /USER

USER INFORMATION
----------------

User Name    SID
============ ==============================================
hp-z230\yano S-1-5-21-1515853178-1880514851-1804962447-1001


The file server is not in AD and uses offline account in Windows 11
(means no Microsoft Account). The client also uses offline account
in Windows 10 too.
The server and the client use the same user name and password, so
authentication is automatically done.

In this case, access() of the current cygwin wrongly refers to the
permissions for 'others'.

I wonder why the NtAccessCheck() can not handle this situation
correctly. The process token does not have the privilege of the
SIDs in the server side even though the authentication has been
done by 'net use' command?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Mon, 11 Nov 2024 14:35:55 +0100
Corinna Vinschen wrote:
> On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> > On Mon, 11 Nov 2024 13:03:18 +0100
> > Corinna Vinschen wrote:
> > > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > > Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > > > > Even with this patch, the file:
> > > > > 
> > > > > yano $ touch samba_test_file.txt
> > > > > yano $ ls -l samba_test_files.txt
> > > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > > 
> > > > Oops! This was wrong.
> > > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > > 
> > > That's Samba for you.  I applied your patch and created a file
> > > on my share, and the Authenticated Users group was not in the
> > > resulting ACL.  Only user, group, and Everyone.
> > > 
> > > Either way, I don't think this is the right thing to do.  Even if
> > > the group isn't added to the ACL on my machine, it still loks like
> > > a security problem in waiting.
> > 
> > Isn't this DACL here used only for access_check() (NtAccessCheck())?
> > In my environment, the Authenticated Users does not appear in the ACL
> > too.
> 
> Oh, yeah, right, *blush*.
> 
> But it's still not the right thing to do.  You convert the Samba ACL
> to a Windows ACL which gives Authenticated Users full permissions.
> So the check_access() function will return false positives, because
> every authenticated user is in the Authenticated Users group and has
> supposedly FILE_ALL_ACCESS.  Even if the actual function (read, write,
> execute) will fail, the access() function will claim that every
> authenticated user has RWX perms.

Ah, right. I have just confirmed that behaviour...

> AFAICS, the underlying problem is somehow the user mapping.  Did you
> try with username map = /foo/bar?

Yes. However, my user name is 'yano' both in server (Linux) and
client (Windows 10) side. So, I think there is no effect of
'username map'.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano via Cygwin]

On Mon, 11 Nov 2024 14:35:55 +0100
Corinna Vinschen wrote:
> On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> > On Mon, 11 Nov 2024 13:03:18 +0100
> > Corinna Vinschen wrote:
> > > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > > Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > > > > Even with this patch, the file:
> > > > > 
> > > > > yano $ touch samba_test_file.txt
> > > > > yano $ ls -l samba_test_files.txt
> > > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > > 
> > > > Oops! This was wrong.
> > > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > > 
> > > That's Samba for you.  I applied your patch and created a file
> > > on my share, and the Authenticated Users group was not in the
> > > resulting ACL.  Only user, group, and Everyone.
> > > 
> > > Either way, I don't think this is the right thing to do.  Even if
> > > the group isn't added to the ACL on my machine, it still loks like
> > > a security problem in waiting.
> > 
> > Isn't this DACL here used only for access_check() (NtAccessCheck())?
> > In my environment, the Authenticated Users does not appear in the ACL
> > too.
> 
> Oh, yeah, right, *blush*.
> 
> But it's still not the right thing to do.  You convert the Samba ACL
> to a Windows ACL which gives Authenticated Users full permissions.
> So the check_access() function will return false positives, because
> every authenticated user is in the Authenticated Users group and has
> supposedly FILE_ALL_ACCESS.  Even if the actual function (read, write,
> execute) will fail, the access() function will claim that every
> authenticated user has RWX perms.

Ah, right. I have just confirmed that behaviour...

> AFAICS, the underlying problem is somehow the user mapping.  Did you
> try with username map = /foo/bar?

Yes. However, my user name is 'yano' both in server (Linux) and
client (Windows 10) side. So, I think there is no effect of
'username map'.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 13:03:18 +0100
> Corinna Vinschen wrote:
> > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > > > Even with this patch, the file:
> > > > 
> > > > yano $ touch samba_test_file.txt
> > > > yano $ ls -l samba_test_files.txt
> > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > 
> > > Oops! This was wrong.
> > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > 
> > That's Samba for you.  I applied your patch and created a file
> > on my share, and the Authenticated Users group was not in the
> > resulting ACL.  Only user, group, and Everyone.
> > 
> > Either way, I don't think this is the right thing to do.  Even if
> > the group isn't added to the ACL on my machine, it still loks like
> > a security problem in waiting.
> 
> Isn't this DACL here used only for access_check() (NtAccessCheck())?
> In my environment, the Authenticated Users does not appear in the ACL
> too.

Oh, yeah, right, *blush*.

But it's still not the right thing to do.  You convert the Samba ACL
to a Windows ACL which gives Authenticated Users full permissions.
So the check_access() function will return false positives, because
every authenticated user is in the Authenticated Users group and has
supposedly FILE_ALL_ACCESS.  Even if the actual function (read, write,
execute) will fail, the access() function will claim that every
authenticated user has RWX perms.

AFAICS, the underlying problem is somehow the user mapping.  Did you
try with username map = /foo/bar?


Corinna

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen via Cygwin]

On Nov 11 21:19, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 13:03:18 +0100
> Corinna Vinschen wrote:
> > On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 20:32:02 +0900
> > > Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > > > Even with this patch, the file:
> > > > 
> > > > yano $ touch samba_test_file.txt
> > > > yano $ ls -l samba_test_files.txt
> > > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > > 
> > > Oops! This was wrong.
> > > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> > 
> > That's Samba for you.  I applied your patch and created a file
> > on my share, and the Authenticated Users group was not in the
> > resulting ACL.  Only user, group, and Everyone.
> > 
> > Either way, I don't think this is the right thing to do.  Even if
> > the group isn't added to the ACL on my machine, it still loks like
> > a security problem in waiting.
> 
> Isn't this DACL here used only for access_check() (NtAccessCheck())?
> In my environment, the Authenticated Users does not appear in the ACL
> too.

Oh, yeah, right, *blush*.

But it's still not the right thing to do.  You convert the Samba ACL
to a Windows ACL which gives Authenticated Users full permissions.
So the check_access() function will return false positives, because
every authenticated user is in the Authenticated Users group and has
supposedly FILE_ALL_ACCESS.  Even if the actual function (read, write,
execute) will fail, the access() function will claim that every
authenticated user has RWX perms.

AFAICS, the underlying problem is somehow the user mapping.  Did you
try with username map = /foo/bar?


Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Nov 11 22:00, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 12:59:41 +0100
> Corinna Vinschen wrote:
> > On Nov 11 20:19, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 11:56:13 +0100
> > > Corinna Vinschen wrote:
> > > 
> > > > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > > > Corinna Vinschen wrote:
> > > > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > > > and for the share itself, check that
> > > > > > 
> > > > > >   read only = No
> > > > > >   vfs objects = acl_xattr
> > > > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > > > Thanks! This makes things better.
> > > > > At least x permissions are set to executable compiled by gcc.
> > > > > 
> > > > > However, something is still wrong in my environment....
> > > > > Others permission seems to be reffered in some cases.
> > > > 
> > > > I don't understand.  Please run icacls for a just created file on your
> > > > Samba share (without the below patch) as well as Windows' `whoami /all'.
> > > 
> > > $ touch samba_test_file.txt
> > > $ icacls samba_test_file.txt
> > > samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
> > >                     S-1-5-21-479325430-3041864944-504445739-513:(R)
> > >                     Everyone:(R)
> > > 
> > > This seems reasonable to me.
> > > 
> > > For Windows 11 share, the result is
> > > samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
> > >                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
> > 
> >   On Samba S-1-5-21-479325430-3041864944-504445739-1000
> >   On Windows S-1-5-21-2089672436-4097686843-2104605006-1001
> > 
> > Isn't the user mapping off?
> > 
> > It's also not clear where your Windows ACL comes from.  When I check the
> > permissions on typical Windows folders, Authenticated Users doesn't even
> > show up.
> 
> On my machine,
> 
> C:\Users\yano>mkdir \test_folder
> 
> C:\Users\yano>icacls \test_folder
> \test_folder BUILTIN\Administrators:(I)(OI)(CI)(F)
>              NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
>              BUILTIN\Users:(I)(OI)(CI)(RX)
>              NT AUTHORITY\Authenticated Users:(I)(M)
>              NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

Those are inherited from the parent folder, i. e., C:\.

$ icacls C:\\
c:\ S-1-15-3-65536-1888954469-739942743-1668119174-2468466756-4239452838-1296943325-355587736-700089176:(S,RD,X,RA)
    BUILTIN\Administrators:(OI)(CI)(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    BUILTIN\Users:(OI)(CI)(RX)
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
    NT AUTHORITY\Authenticated Users:(AD)
    Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

Funny enough, the C:\ default ACL on servers doesn't contain entries for
Authenticated Users.  The group Users is tasking its place.


Corinna

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen via Cygwin]

On Nov 11 22:00, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 12:59:41 +0100
> Corinna Vinschen wrote:
> > On Nov 11 20:19, Takashi Yano via Cygwin wrote:
> > > On Mon, 11 Nov 2024 11:56:13 +0100
> > > Corinna Vinschen wrote:
> > > 
> > > > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > > > Corinna Vinschen wrote:
> > > > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > > > and for the share itself, check that
> > > > > > 
> > > > > >   read only = No
> > > > > >   vfs objects = acl_xattr
> > > > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > > > Thanks! This makes things better.
> > > > > At least x permissions are set to executable compiled by gcc.
> > > > > 
> > > > > However, something is still wrong in my environment....
> > > > > Others permission seems to be reffered in some cases.
> > > > 
> > > > I don't understand.  Please run icacls for a just created file on your
> > > > Samba share (without the below patch) as well as Windows' `whoami /all'.
> > > 
> > > $ touch samba_test_file.txt
> > > $ icacls samba_test_file.txt
> > > samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
> > >                     S-1-5-21-479325430-3041864944-504445739-513:(R)
> > >                     Everyone:(R)
> > > 
> > > This seems reasonable to me.
> > > 
> > > For Windows 11 share, the result is
> > > samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
> > >                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
> > 
> >   On Samba S-1-5-21-479325430-3041864944-504445739-1000
> >   On Windows S-1-5-21-2089672436-4097686843-2104605006-1001
> > 
> > Isn't the user mapping off?
> > 
> > It's also not clear where your Windows ACL comes from.  When I check the
> > permissions on typical Windows folders, Authenticated Users doesn't even
> > show up.
> 
> On my machine,
> 
> C:\Users\yano>mkdir \test_folder
> 
> C:\Users\yano>icacls \test_folder
> \test_folder BUILTIN\Administrators:(I)(OI)(CI)(F)
>              NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
>              BUILTIN\Users:(I)(OI)(CI)(RX)
>              NT AUTHORITY\Authenticated Users:(I)(M)
>              NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

Those are inherited from the parent folder, i. e., C:\.

$ icacls C:\\
c:\ S-1-15-3-65536-1888954469-739942743-1668119174-2468466756-4239452838-1296943325-355587736-700089176:(S,RD,X,RA)
    BUILTIN\Administrators:(OI)(CI)(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    BUILTIN\Users:(OI)(CI)(RX)
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
    NT AUTHORITY\Authenticated Users:(AD)
    Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

Funny enough, the C:\ default ACL on servers doesn't contain entries for
Authenticated Users.  The group Users is tasking its place.


Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Mon, 11 Nov 2024 12:59:41 +0100
Corinna Vinschen wrote:
> On Nov 11 20:19, Takashi Yano via Cygwin wrote:
> > On Mon, 11 Nov 2024 11:56:13 +0100
> > Corinna Vinschen wrote:
> > 
> > > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > > Corinna Vinschen wrote:
> > > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > > and for the share itself, check that
> > > > > 
> > > > >   read only = No
> > > > >   vfs objects = acl_xattr
> > > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > > Thanks! This makes things better.
> > > > At least x permissions are set to executable compiled by gcc.
> > > > 
> > > > However, something is still wrong in my environment....
> > > > Others permission seems to be reffered in some cases.
> > > 
> > > I don't understand.  Please run icacls for a just created file on your
> > > Samba share (without the below patch) as well as Windows' `whoami /all'.
> > 
> > $ touch samba_test_file.txt
> > $ icacls samba_test_file.txt
> > samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
> >                     S-1-5-21-479325430-3041864944-504445739-513:(R)
> >                     Everyone:(R)
> > 
> > This seems reasonable to me.
> > 
> > For Windows 11 share, the result is
> > samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
> >                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
> 
>   On Samba S-1-5-21-479325430-3041864944-504445739-1000
>   On Windows S-1-5-21-2089672436-4097686843-2104605006-1001
> 
> Isn't the user mapping off?
> 
> It's also not clear where your Windows ACL comes from.  When I check the
> permissions on typical Windows folders, Authenticated Users doesn't even
> show up.

On my machine,

C:\Users\yano>mkdir \test_folder

C:\Users\yano>icacls \test_folder
\test_folder BUILTIN\Administrators:(I)(OI)(CI)(F)
             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
             BUILTIN\Users:(I)(OI)(CI)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)
             NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

C:\Users\yano>mkdir test_folder

C:\Users\yano>icacls test_folder
test_folder NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
            BUILTIN\Administrators:(I)(OI)(CI)(F)
            HP-Z230\yano:(I)(OI)(CI)(F)
            HP-Z230\Administrator:(I)(OI)(CI)(F)

I have no idea why the \test_folder is different from \Users\yano\test_folder.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano via Cygwin]

On Mon, 11 Nov 2024 12:59:41 +0100
Corinna Vinschen wrote:
> On Nov 11 20:19, Takashi Yano via Cygwin wrote:
> > On Mon, 11 Nov 2024 11:56:13 +0100
> > Corinna Vinschen wrote:
> > 
> > > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > > Corinna Vinschen wrote:
> > > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > > and for the share itself, check that
> > > > > 
> > > > >   read only = No
> > > > >   vfs objects = acl_xattr
> > > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > > Thanks! This makes things better.
> > > > At least x permissions are set to executable compiled by gcc.
> > > > 
> > > > However, something is still wrong in my environment....
> > > > Others permission seems to be reffered in some cases.
> > > 
> > > I don't understand.  Please run icacls for a just created file on your
> > > Samba share (without the below patch) as well as Windows' `whoami /all'.
> > 
> > $ touch samba_test_file.txt
> > $ icacls samba_test_file.txt
> > samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
> >                     S-1-5-21-479325430-3041864944-504445739-513:(R)
> >                     Everyone:(R)
> > 
> > This seems reasonable to me.
> > 
> > For Windows 11 share, the result is
> > samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
> >                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
> 
>   On Samba S-1-5-21-479325430-3041864944-504445739-1000
>   On Windows S-1-5-21-2089672436-4097686843-2104605006-1001
> 
> Isn't the user mapping off?
> 
> It's also not clear where your Windows ACL comes from.  When I check the
> permissions on typical Windows folders, Authenticated Users doesn't even
> show up.

On my machine,

C:\Users\yano>mkdir \test_folder

C:\Users\yano>icacls \test_folder
\test_folder BUILTIN\Administrators:(I)(OI)(CI)(F)
             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
             BUILTIN\Users:(I)(OI)(CI)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)
             NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

C:\Users\yano>mkdir test_folder

C:\Users\yano>icacls test_folder
test_folder NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
            BUILTIN\Administrators:(I)(OI)(CI)(F)
            HP-Z230\yano:(I)(OI)(CI)(F)
            HP-Z230\Administrator:(I)(OI)(CI)(F)

I have no idea why the \test_folder is different from \Users\yano\test_folder.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Mon, 11 Nov 2024 12:59:41 +0100
Corinna Vinschen wrote:
> On Nov 11 20:19, Takashi Yano via Cygwin wrote:
> > On Mon, 11 Nov 2024 11:56:13 +0100
> > Corinna Vinschen wrote:
> > 
> > > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > > Corinna Vinschen wrote:
> > > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > > and for the share itself, check that
> > > > > 
> > > > >   read only = No
> > > > >   vfs objects = acl_xattr
> > > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > > Thanks! This makes things better.
> > > > At least x permissions are set to executable compiled by gcc.
> > > > 
> > > > However, something is still wrong in my environment....
> > > > Others permission seems to be reffered in some cases.
> > > 
> > > I don't understand.  Please run icacls for a just created file on your
> > > Samba share (without the below patch) as well as Windows' `whoami /all'.
> > 
> > $ touch samba_test_file.txt
> > $ icacls samba_test_file.txt
> > samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
> >                     S-1-5-21-479325430-3041864944-504445739-513:(R)
> >                     Everyone:(R)
> > 
> > This seems reasonable to me.
> > 
> > For Windows 11 share, the result is
> > samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
> >                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
> 
>   On Samba S-1-5-21-479325430-3041864944-504445739-1000
>   On Windows S-1-5-21-2089672436-4097686843-2104605006-1001
> 
> Isn't the user mapping off?

In my samba environment, 'username map' option is not specified.
The SID in different machine is not the same, I think, is it?

>   On Windows S-1-5-21-2089672436-4097686843-2104605006-1001

This is not same with the my SID on file share client machine.
S-1-5-21-1515853178-1880514851-1804962447-1001

>   On Windows S-1-5-21-2089672436-4097686843-2104605006-1001
This is my SID on file server (Windows 11 machine).

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano via Cygwin]

On Mon, 11 Nov 2024 12:59:41 +0100
Corinna Vinschen wrote:
> On Nov 11 20:19, Takashi Yano via Cygwin wrote:
> > On Mon, 11 Nov 2024 11:56:13 +0100
> > Corinna Vinschen wrote:
> > 
> > > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > > Corinna Vinschen wrote:
> > > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > > and for the share itself, check that
> > > > > 
> > > > >   read only = No
> > > > >   vfs objects = acl_xattr
> > > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > > Thanks! This makes things better.
> > > > At least x permissions are set to executable compiled by gcc.
> > > > 
> > > > However, something is still wrong in my environment....
> > > > Others permission seems to be reffered in some cases.
> > > 
> > > I don't understand.  Please run icacls for a just created file on your
> > > Samba share (without the below patch) as well as Windows' `whoami /all'.
> > 
> > $ touch samba_test_file.txt
> > $ icacls samba_test_file.txt
> > samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
> >                     S-1-5-21-479325430-3041864944-504445739-513:(R)
> >                     Everyone:(R)
> > 
> > This seems reasonable to me.
> > 
> > For Windows 11 share, the result is
> > samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
> >                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
> 
>   On Samba S-1-5-21-479325430-3041864944-504445739-1000
>   On Windows S-1-5-21-2089672436-4097686843-2104605006-1001
> 
> Isn't the user mapping off?

In my samba environment, 'username map' option is not specified.
The SID in different machine is not the same, I think, is it?

>   On Windows S-1-5-21-2089672436-4097686843-2104605006-1001

This is not same with the my SID on file share client machine.
S-1-5-21-1515853178-1880514851-1804962447-1001

>   On Windows S-1-5-21-2089672436-4097686843-2104605006-1001
This is my SID on file server (Windows 11 machine).

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Mon, 11 Nov 2024 13:03:18 +0100
Corinna Vinschen wrote:
> On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > On Mon, 11 Nov 2024 20:32:02 +0900
> > Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > > Even with this patch, the file:
> > > 
> > > yano $ touch samba_test_file.txt
> > > yano $ ls -l samba_test_files.txt
> > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > 
> > Oops! This was wrong.
> > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> 
> That's Samba for you.  I applied your patch and created a file
> on my share, and the Authenticated Users group was not in the
> resulting ACL.  Only user, group, and Everyone.
> 
> Either way, I don't think this is the right thing to do.  Even if
> the group isn't added to the ACL on my machine, it still loks like
> a security problem in waiting.

Isn't this DACL here used only for access_check() (NtAccessCheck())?
In my environment, the Authenticated Users does not appear in the ACL
too.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano via Cygwin]

On Mon, 11 Nov 2024 13:03:18 +0100
Corinna Vinschen wrote:
> On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> > On Mon, 11 Nov 2024 20:32:02 +0900
> > Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > > Even with this patch, the file:
> > > 
> > > yano $ touch samba_test_file.txt
> > > yano $ ls -l samba_test_files.txt
> > > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> > 
> > Oops! This was wrong.
> > -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt
> 
> That's Samba for you.  I applied your patch and created a file
> on my share, and the Authenticated Users group was not in the
> resulting ACL.  Only user, group, and Everyone.
> 
> Either way, I don't think this is the right thing to do.  Even if
> the group isn't added to the ACL on my machine, it still loks like
> a security problem in waiting.

Isn't this DACL here used only for access_check() (NtAccessCheck())?
In my environment, the Authenticated Users does not appear in the ACL
too.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 20:32:02 +0900
> Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > Even with this patch, the file:
> > 
> > yano $ touch samba_test_file.txt
> > yano $ ls -l samba_test_files.txt
> > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> 
> Oops! This was wrong.
> -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt

That's Samba for you.  I applied your patch and created a file
on my share, and the Authenticated Users group was not in the
resulting ACL.  Only user, group, and Everyone.

Either way, I don't think this is the right thing to do.  Even if
the group isn't added to the ACL on my machine, it still loks like
a security problem in waiting.


Corinna

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen via Cygwin]

On Nov 11 20:40, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 20:32:02 +0900
> Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> > Even with this patch, the file:
> > 
> > yano $ touch samba_test_file.txt
> > yano $ ls -l samba_test_files.txt
> > -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt
> 
> Oops! This was wrong.
> -rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt

That's Samba for you.  I applied your patch and created a file
on my share, and the Authenticated Users group was not in the
resulting ACL.  Only user, group, and Everyone.

Either way, I don't think this is the right thing to do.  Even if
the group isn't added to the ACL on my machine, it still loks like
a security problem in waiting.


Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Nov 11 20:19, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 11:56:13 +0100
> Corinna Vinschen wrote:
> 
> > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > Corinna Vinschen wrote:
> > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > and for the share itself, check that
> > > > 
> > > >   read only = No
> > > >   vfs objects = acl_xattr
> > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > Thanks! This makes things better.
> > > At least x permissions are set to executable compiled by gcc.
> > > 
> > > However, something is still wrong in my environment....
> > > Others permission seems to be reffered in some cases.
> > 
> > I don't understand.  Please run icacls for a just created file on your
> > Samba share (without the below patch) as well as Windows' `whoami /all'.
> 
> $ touch samba_test_file.txt
> $ icacls samba_test_file.txt
> samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
>                     S-1-5-21-479325430-3041864944-504445739-513:(R)
>                     Everyone:(R)
> 
> This seems reasonable to me.
> 
> For Windows 11 share, the result is
> samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
>                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)

  On Samba S-1-5-21-479325430-3041864944-504445739-1000
  On Windows S-1-5-21-2089672436-4097686843-2104605006-1001

Isn't the user mapping off?

It's also not clear where your Windows ACL comes from.  When I check the
permissions on typical Windows folders, Authenticated Users doesn't even
show up.



>                     S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
> [...]
>                     NT AUTHORITY\Authenticated Users:(RX,W)
> [...]
> > Giving all authenticated users full permissions to all your files?
> > Unconditionally?  That sounds like opening a security hole wide open.
> 
> Does this really mean such thing? Windows 11 share reports here,
> access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?

Well, it's just a group.  All authenticated users are member of the
group.  It's in all user tokens and if it allows everything on a file...


Corinna

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen via Cygwin]

On Nov 11 20:19, Takashi Yano via Cygwin wrote:
> On Mon, 11 Nov 2024 11:56:13 +0100
> Corinna Vinschen wrote:
> 
> > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > Corinna Vinschen wrote:
> > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > and for the share itself, check that
> > > > 
> > > >   read only = No
> > > >   vfs objects = acl_xattr
> > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > Thanks! This makes things better.
> > > At least x permissions are set to executable compiled by gcc.
> > > 
> > > However, something is still wrong in my environment....
> > > Others permission seems to be reffered in some cases.
> > 
> > I don't understand.  Please run icacls for a just created file on your
> > Samba share (without the below patch) as well as Windows' `whoami /all'.
> 
> $ touch samba_test_file.txt
> $ icacls samba_test_file.txt
> samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
>                     S-1-5-21-479325430-3041864944-504445739-513:(R)
>                     Everyone:(R)
> 
> This seems reasonable to me.
> 
> For Windows 11 share, the result is
> samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
>                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)

  On Samba S-1-5-21-479325430-3041864944-504445739-1000
  On Windows S-1-5-21-2089672436-4097686843-2104605006-1001

Isn't the user mapping off?

It's also not clear where your Windows ACL comes from.  When I check the
permissions on typical Windows folders, Authenticated Users doesn't even
show up.



>                     S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
> [...]
>                     NT AUTHORITY\Authenticated Users:(RX,W)
> [...]
> > Giving all authenticated users full permissions to all your files?
> > Unconditionally?  That sounds like opening a security hole wide open.
> 
> Does this really mean such thing? Windows 11 share reports here,
> access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?

Well, it's just a group.  All authenticated users are member of the
group.  It's in all user tokens and if it allows everything on a file...


Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Mon, 11 Nov 2024 20:19:28 +0900
Takashi Yano wrote:

> On Mon, 11 Nov 2024 11:56:13 +0100
> Corinna Vinschen wrote:
> 
> > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > Corinna Vinschen wrote:
> > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > and for the share itself, check that
> > > > 
> > > >   read only = No
> > > >   vfs objects = acl_xattr
> > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > Thanks! This makes things better.
> > > At least x permissions are set to executable compiled by gcc.
> > > 
> > > However, something is still wrong in my environment....
> > > Others permission seems to be reffered in some cases.
> > 
> > I don't understand.  Please run icacls for a just created file on your
> > Samba share (without the below patch) as well as Windows' `whoami /all'.
> 
> $ touch samba_test_file.txt
> $ icacls samba_test_file.txt
> samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
>                     S-1-5-21-479325430-3041864944-504445739-513:(R)
>                     Everyone:(R)
> 
> This seems reasonable to me.
> 
> For Windows 11 share, the result is
> samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
>                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
>                     S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
>                     NT AUTHORITY\Authenticated Users:(DENY)(S,X)
>                     NT AUTHORITY\SYSTEM:(DENY)(S,X)
>                     BUILTIN\Administrators:(DENY)(S,X)
>                     BUILTIN\Users:(DENY)(S,X)
>                     S-1-5-21-2089672436-4097686843-2104605006-513:(RX)
>                     NT AUTHORITY\Authenticated Users:(RX,W)
>                     NT AUTHORITY\SYSTEM:(RX,W)
>                     BUILTIN\Administrators:(RX,W)
>                     BUILTIN\Users:(RX)
>                     Everyone:(R)

Sorry, I forgot to add result of 'whoami /all'.

$ /cygdrive/c/windows/system32/whoami /all

USER INFORMATION
----------------

User Name    SID
============ ==============================================
hp-z230\yano S-1-5-21-1515853178-1880514851-1804962447-1001


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                            Attributes
====================================== ================ ============================================== ==================================================
Everyone                               Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
HP-Z230\docker-users                   Alias            S-1-5-21-1515853178-1880514851-1804962447-1073 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users          Alias            S-1-5-32-559                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\ローカル アカウント       Well-known group S-1-5-113                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled


-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano via Cygwin]

On Mon, 11 Nov 2024 20:19:28 +0900
Takashi Yano wrote:

> On Mon, 11 Nov 2024 11:56:13 +0100
> Corinna Vinschen wrote:
> 
> > On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > > On Fri, 8 Nov 2024 14:11:40 +0100
> > > Corinna Vinschen wrote:
> > > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > > and for the share itself, check that
> > > > 
> > > >   read only = No
> > > >   vfs objects = acl_xattr
> > >     ^^^^^^^^^^^^^^^^^^^^^^^
> > > Thanks! This makes things better.
> > > At least x permissions are set to executable compiled by gcc.
> > > 
> > > However, something is still wrong in my environment....
> > > Others permission seems to be reffered in some cases.
> > 
> > I don't understand.  Please run icacls for a just created file on your
> > Samba share (without the below patch) as well as Windows' `whoami /all'.
> 
> $ touch samba_test_file.txt
> $ icacls samba_test_file.txt
> samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
>                     S-1-5-21-479325430-3041864944-504445739-513:(R)
>                     Everyone:(R)
> 
> This seems reasonable to me.
> 
> For Windows 11 share, the result is
> samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
>                     S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
>                     S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
>                     NT AUTHORITY\Authenticated Users:(DENY)(S,X)
>                     NT AUTHORITY\SYSTEM:(DENY)(S,X)
>                     BUILTIN\Administrators:(DENY)(S,X)
>                     BUILTIN\Users:(DENY)(S,X)
>                     S-1-5-21-2089672436-4097686843-2104605006-513:(RX)
>                     NT AUTHORITY\Authenticated Users:(RX,W)
>                     NT AUTHORITY\SYSTEM:(RX,W)
>                     BUILTIN\Administrators:(RX,W)
>                     BUILTIN\Users:(RX)
>                     Everyone:(R)

Sorry, I forgot to add result of 'whoami /all'.

$ /cygdrive/c/windows/system32/whoami /all

USER INFORMATION
----------------

User Name    SID
============ ==============================================
hp-z230\yano S-1-5-21-1515853178-1880514851-1804962447-1001


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                            Attributes
====================================== ================ ============================================== ==================================================
Everyone                               Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
HP-Z230\docker-users                   Alias            S-1-5-21-1515853178-1880514851-1804962447-1073 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users          Alias            S-1-5-32-559                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\ローカル アカウント       Well-known group S-1-5-113                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled


-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Mon, 11 Nov 2024 20:32:02 +0900
Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> Even with this patch, the file:
> 
> yano $ touch samba_test_file.txt
> yano $ ls -l samba_test_files.txt
> -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt

Oops! This was wrong.
-rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt

> cannot be written by other users:
> 
> someone $ echo BBBB > samba_test_files.txt
> samba_test_files.txt: Permission denied.
> 
> -- 
> Takashi Yano <takashi.yano@nifty.ne.jp>
> 
> -- 
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple


-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano via Cygwin]

On Mon, 11 Nov 2024 20:32:02 +0900
Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> Even with this patch, the file:
> 
> yano $ touch samba_test_file.txt
> yano $ ls -l samba_test_files.txt
> -rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt

Oops! This was wrong.
-rw-r--r-- 1 Unknown+User Unix_Group+1000 0 Nov 11 20:25 samba_test_file.txt

> cannot be written by other users:
> 
> someone $ echo BBBB > samba_test_files.txt
> samba_test_files.txt: Permission denied.
> 
> -- 
> Takashi Yano <takashi.yano@nifty.ne.jp>
> 
> -- 
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple


-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Mon, 11 Nov 2024 20:19:28 +0900
Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> On Mon, 11 Nov 2024 11:56:13 +0100
> Corinna Vinschen wrote:
> > > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> > > index d5e39d281..c519af6e0 100644
> > > --- a/winsup/cygwin/sec/base.cc
> > > +++ b/winsup/cygwin/sec/base.cc
> > > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> > >  				     ace->Header.AceFlags))
> > >  	  return;
> > >        }
> > > +  /* Samba without AD seems to need this. */
> > > +  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> > > +			  well_known_authenticated_users_sid, acl_len, 0);
> > >    acl->AclSize = acl_len;
> > >  
> > >    RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> > > 
> > > What do you think?
> > 
> > Giving all authenticated users full permissions to all your files?
> > Unconditionally?  That sounds like opening a security hole wide open.
> 
> Does this really mean such thing? Windows 11 share reports here,
> access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?

Even with this patch, the file:

yano $ touch samba_test_file.txt
yano $ ls -l samba_test_files.txt
-rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt

cannot be written by other users:

someone $ echo BBBB > samba_test_files.txt
samba_test_files.txt: Permission denied.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano via Cygwin]

On Mon, 11 Nov 2024 20:19:28 +0900
Takashi Yano via Cygwin <cygwin@cygwin.com> wrote:
> On Mon, 11 Nov 2024 11:56:13 +0100
> Corinna Vinschen wrote:
> > > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> > > index d5e39d281..c519af6e0 100644
> > > --- a/winsup/cygwin/sec/base.cc
> > > +++ b/winsup/cygwin/sec/base.cc
> > > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> > >  				     ace->Header.AceFlags))
> > >  	  return;
> > >        }
> > > +  /* Samba without AD seems to need this. */
> > > +  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> > > +			  well_known_authenticated_users_sid, acl_len, 0);
> > >    acl->AclSize = acl_len;
> > >  
> > >    RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> > > 
> > > What do you think?
> > 
> > Giving all authenticated users full permissions to all your files?
> > Unconditionally?  That sounds like opening a security hole wide open.
> 
> Does this really mean such thing? Windows 11 share reports here,
> access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?

Even with this patch, the file:

yano $ touch samba_test_file.txt
yano $ ls -l samba_test_files.txt
-rw-r--r-- 1 yano yano 0 Nov 11 20:25 samba_test_file.txt

cannot be written by other users:

someone $ echo BBBB > samba_test_files.txt
samba_test_files.txt: Permission denied.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

On Mon, 11 Nov 2024 11:56:13 +0100
Corinna Vinschen wrote:

> On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > On Fri, 8 Nov 2024 14:11:40 +0100
> > Corinna Vinschen wrote:
> > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > and for the share itself, check that
> > > 
> > >   read only = No
> > >   vfs objects = acl_xattr
> >     ^^^^^^^^^^^^^^^^^^^^^^^
> > Thanks! This makes things better.
> > At least x permissions are set to executable compiled by gcc.
> > 
> > However, something is still wrong in my environment....
> > Others permission seems to be reffered in some cases.
> 
> I don't understand.  Please run icacls for a just created file on your
> Samba share (without the below patch) as well as Windows' `whoami /all'.

$ touch samba_test_file.txt
$ icacls samba_test_file.txt
samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
                    S-1-5-21-479325430-3041864944-504445739-513:(R)
                    Everyone:(R)

This seems reasonable to me.

For Windows 11 share, the result is
samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
                    S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
                    S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
                    NT AUTHORITY\Authenticated Users:(DENY)(S,X)
                    NT AUTHORITY\SYSTEM:(DENY)(S,X)
                    BUILTIN\Administrators:(DENY)(S,X)
                    BUILTIN\Users:(DENY)(S,X)
                    S-1-5-21-2089672436-4097686843-2104605006-513:(RX)
                    NT AUTHORITY\Authenticated Users:(RX,W)
                    NT AUTHORITY\SYSTEM:(RX,W)
                    BUILTIN\Administrators:(RX,W)
                    BUILTIN\Users:(RX)
                    Everyone:(R)

> > >   map acl inherit = Yes
> > >   store dos attributes = Yes
> > > 
> > > Not sure if that helps, but I don't have any other idea.  I'm running
> > > Samba in an AD environment and "it works for me" :-P
> > 
> > I looked into this probelm and found the NtAccessCheck() fails
> > for my samba environment.
> > 
> > It seems that next patch solves this.
> > 
> > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> > index d5e39d281..c519af6e0 100644
> > --- a/winsup/cygwin/sec/base.cc
> > +++ b/winsup/cygwin/sec/base.cc
> > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> >  				     ace->Header.AceFlags))
> >  	  return;
> >        }
> > +  /* Samba without AD seems to need this. */
> > +  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> > +			  well_known_authenticated_users_sid, acl_len, 0);
> >    acl->AclSize = acl_len;
> >  
> >    RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> > 
> > What do you think?
> 
> Giving all authenticated users full permissions to all your files?
> Unconditionally?  That sounds like opening a security hole wide open.

Does this really mean such thing? Windows 11 share reports here,
access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano via Cygwin]

On Mon, 11 Nov 2024 11:56:13 +0100
Corinna Vinschen wrote:

> On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> > On Fri, 8 Nov 2024 14:11:40 +0100
> > Corinna Vinschen wrote:
> > > If the server is a Samba share, check if `force unknown acl user = yes'
> > > and for the share itself, check that
> > > 
> > >   read only = No
> > >   vfs objects = acl_xattr
> >     ^^^^^^^^^^^^^^^^^^^^^^^
> > Thanks! This makes things better.
> > At least x permissions are set to executable compiled by gcc.
> > 
> > However, something is still wrong in my environment....
> > Others permission seems to be reffered in some cases.
> 
> I don't understand.  Please run icacls for a just created file on your
> Samba share (without the below patch) as well as Windows' `whoami /all'.

$ touch samba_test_file.txt
$ icacls samba_test_file.txt
samba_test_file.txt S-1-5-21-479325430-3041864944-504445739-1000:(R,W,D,WDAC,WO)
                    S-1-5-21-479325430-3041864944-504445739-513:(R)
                    Everyone:(R)

This seems reasonable to me.

For Windows 11 share, the result is
samba_test_file.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
                    S-1-5-21-2089672436-4097686843-2104605006-1001:(R,W,D,WDAC,WO)
                    S-1-5-21-2089672436-4097686843-2104605006-513:(DENY)(S,X)
                    NT AUTHORITY\Authenticated Users:(DENY)(S,X)
                    NT AUTHORITY\SYSTEM:(DENY)(S,X)
                    BUILTIN\Administrators:(DENY)(S,X)
                    BUILTIN\Users:(DENY)(S,X)
                    S-1-5-21-2089672436-4097686843-2104605006-513:(RX)
                    NT AUTHORITY\Authenticated Users:(RX,W)
                    NT AUTHORITY\SYSTEM:(RX,W)
                    BUILTIN\Administrators:(RX,W)
                    BUILTIN\Users:(RX)
                    Everyone:(R)

> > >   map acl inherit = Yes
> > >   store dos attributes = Yes
> > > 
> > > Not sure if that helps, but I don't have any other idea.  I'm running
> > > Samba in an AD environment and "it works for me" :-P
> > 
> > I looked into this probelm and found the NtAccessCheck() fails
> > for my samba environment.
> > 
> > It seems that next patch solves this.
> > 
> > diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> > index d5e39d281..c519af6e0 100644
> > --- a/winsup/cygwin/sec/base.cc
> > +++ b/winsup/cygwin/sec/base.cc
> > @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
> >  				     ace->Header.AceFlags))
> >  	  return;
> >        }
> > +  /* Samba without AD seems to need this. */
> > +  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> > +			  well_known_authenticated_users_sid, acl_len, 0);
> >    acl->AclSize = acl_len;
> >  
> >    RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> > 
> > What do you think?
> 
> Giving all authenticated users full permissions to all your files?
> Unconditionally?  That sounds like opening a security hole wide open.

Does this really mean such thing? Windows 11 share reports here,
access mask 0x001201bf for S-1-5-11 is granted. Isn't this simillar?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> On Fri, 8 Nov 2024 14:11:40 +0100
> Corinna Vinschen wrote:
> > If the server is a Samba share, check if `force unknown acl user = yes'
> > and for the share itself, check that
> > 
> >   read only = No
> >   vfs objects = acl_xattr
>     ^^^^^^^^^^^^^^^^^^^^^^^
> Thanks! This makes things better.
> At least x permissions are set to executable compiled by gcc.
> 
> However, something is still wrong in my environment....
> Others permission seems to be reffered in some cases.

I don't understand.  Please run icacls for a just created file on your
Samba share (without the below patch) as well as Windows' `whoami /all'.

> >   map acl inherit = Yes
> >   store dos attributes = Yes
> > 
> > Not sure if that helps, but I don't have any other idea.  I'm running
> > Samba in an AD environment and "it works for me" :-P
> 
> I looked into this probelm and found the NtAccessCheck() fails
> for my samba environment.
> 
> It seems that next patch solves this.
> 
> diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> index d5e39d281..c519af6e0 100644
> --- a/winsup/cygwin/sec/base.cc
> +++ b/winsup/cygwin/sec/base.cc
> @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
>  				     ace->Header.AceFlags))
>  	  return;
>        }
> +  /* Samba without AD seems to need this. */
> +  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> +			  well_known_authenticated_users_sid, acl_len, 0);
>    acl->AclSize = acl_len;
>  
>    RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> 
> What do you think?

Giving all authenticated users full permissions to all your files?
Unconditionally?  That sounds like opening a security hole wide open.


Corinna

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen via Cygwin]

On Nov 11 19:31, Takashi Yano via Cygwin wrote:
> On Fri, 8 Nov 2024 14:11:40 +0100
> Corinna Vinschen wrote:
> > If the server is a Samba share, check if `force unknown acl user = yes'
> > and for the share itself, check that
> > 
> >   read only = No
> >   vfs objects = acl_xattr
>     ^^^^^^^^^^^^^^^^^^^^^^^
> Thanks! This makes things better.
> At least x permissions are set to executable compiled by gcc.
> 
> However, something is still wrong in my environment....
> Others permission seems to be reffered in some cases.

I don't understand.  Please run icacls for a just created file on your
Samba share (without the below patch) as well as Windows' `whoami /all'.

> >   map acl inherit = Yes
> >   store dos attributes = Yes
> > 
> > Not sure if that helps, but I don't have any other idea.  I'm running
> > Samba in an AD environment and "it works for me" :-P
> 
> I looked into this probelm and found the NtAccessCheck() fails
> for my samba environment.
> 
> It seems that next patch solves this.
> 
> diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
> index d5e39d281..c519af6e0 100644
> --- a/winsup/cygwin/sec/base.cc
> +++ b/winsup/cygwin/sec/base.cc
> @@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
>  				     ace->Header.AceFlags))
>  	  return;
>        }
> +  /* Samba without AD seems to need this. */
> +  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
> +			  well_known_authenticated_users_sid, acl_len, 0);
>    acl->AclSize = acl_len;
>  
>    RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
> 
> What do you think?

Giving all authenticated users full permissions to all your files?
Unconditionally?  That sounds like opening a security hole wide open.


Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

Hi Corinna,

On Fri, 8 Nov 2024 14:11:40 +0100
Corinna Vinschen wrote:
> On Nov  8 20:51, Takashi Yano via Cygwin wrote:
> > Hi all,
> > 
> > On Thu, 8 Aug 2019 15:41:55 +0000
> > "Lavrentiev, Anton (NIH/NLM/NCBI) [C] wrote:
> > > Hi,
> > > 
> > > Here's the situation, I have a netmount "Z:" but I cannot make any files on it executable from Cygwin:
> > > 
> > > $ mount
> > > ...
> > > Z: on /cygdrive/z type smbfs (binary,posix=0,user,noumount,auto)
> > > [...]
> > > $ ls -l a.exe
> > > -rw-rw-r--+ 1 lavr cppcore 157753 Aug  8 11:29 a.exe
> > > [...]
> > > $ chmod a+x a.exe
> > > [...]
> > > $ ls -l a.exe
> > > -rw-rw-r--+ 1 lavr cppcore 157753 Aug  8 11:29 a.exe
> > > [...]
> > > Also, any file that I give the "x" permission from outside Cygwin (e.g. from Linux) on the SMBFS drive "Z:",
> > > becomes executable:
> > 
> > Does anyone know what was the conclusion of this issue?
> > I have encountered the same issue and cannot find the
> > solution so far.
> 
> SMB is really complex, and Samba adds to the complexity.
> 
> If the remote drive is a Windows share, check if the server shares the
> folder with "Full Control" for everyone.
> 
> If the server is a Samba share, check if `force unknown acl user = yes'
> and for the share itself, check that
> 
>   read only = No
>   vfs objects = acl_xattr
    ^^^^^^^^^^^^^^^^^^^^^^^
Thanks! This makes things better.
At least x permissions are set to executable compiled by gcc.

However, something is still wrong in my environment....
Others permission seems to be reffered in some cases.

>   map acl inherit = Yes
>   store dos attributes = Yes
> 
> Not sure if that helps, but I don't have any other idea.  I'm running
> Samba in an AD environment and "it works for me" :-P

I looked into this probelm and found the NtAccessCheck() fails
for my samba environment.

It seems that next patch solves this.

diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
index d5e39d281..c519af6e0 100644
--- a/winsup/cygwin/sec/base.cc
+++ b/winsup/cygwin/sec/base.cc
@@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
 				     ace->Header.AceFlags))
 	  return;
       }
+  /* Samba without AD seems to need this. */
+  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
+			  well_known_authenticated_users_sid, acl_len, 0);
   acl->AclSize = acl_len;
 
   RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);

What do you think?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

Re: SMBFS mount's file cannot be made executable

[Takashi Yano via Cygwin]

Hi Corinna,

On Fri, 8 Nov 2024 14:11:40 +0100
Corinna Vinschen wrote:
> On Nov  8 20:51, Takashi Yano via Cygwin wrote:
> > Hi all,
> > 
> > On Thu, 8 Aug 2019 15:41:55 +0000
> > "Lavrentiev, Anton (NIH/NLM/NCBI) [C] wrote:
> > > Hi,
> > > 
> > > Here's the situation, I have a netmount "Z:" but I cannot make any files on it executable from Cygwin:
> > > 
> > > $ mount
> > > ...
> > > Z: on /cygdrive/z type smbfs (binary,posix=0,user,noumount,auto)
> > > [...]
> > > $ ls -l a.exe
> > > -rw-rw-r--+ 1 lavr cppcore 157753 Aug  8 11:29 a.exe
> > > [...]
> > > $ chmod a+x a.exe
> > > [...]
> > > $ ls -l a.exe
> > > -rw-rw-r--+ 1 lavr cppcore 157753 Aug  8 11:29 a.exe
> > > [...]
> > > Also, any file that I give the "x" permission from outside Cygwin (e.g. from Linux) on the SMBFS drive "Z:",
> > > becomes executable:
> > 
> > Does anyone know what was the conclusion of this issue?
> > I have encountered the same issue and cannot find the
> > solution so far.
> 
> SMB is really complex, and Samba adds to the complexity.
> 
> If the remote drive is a Windows share, check if the server shares the
> folder with "Full Control" for everyone.
> 
> If the server is a Samba share, check if `force unknown acl user = yes'
> and for the share itself, check that
> 
>   read only = No
>   vfs objects = acl_xattr
    ^^^^^^^^^^^^^^^^^^^^^^^
Thanks! This makes things better.
At least x permissions are set to executable compiled by gcc.

However, something is still wrong in my environment....
Others permission seems to be reffered in some cases.

>   map acl inherit = Yes
>   store dos attributes = Yes
> 
> Not sure if that helps, but I don't have any other idea.  I'm running
> Samba in an AD environment and "it works for me" :-P

I looked into this probelm and found the NtAccessCheck() fails
for my samba environment.

It seems that next patch solves this.

diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
index d5e39d281..c519af6e0 100644
--- a/winsup/cygwin/sec/base.cc
+++ b/winsup/cygwin/sec/base.cc
@@ -681,6 +681,9 @@ convert_samba_sd (security_descriptor &sd_ret)
 				     ace->Header.AceFlags))
 	  return;
       }
+  /* Samba without AD seems to need this. */
+  add_access_allowed_ace (acl, FILE_ALL_ACCESS,
+			  well_known_authenticated_users_sid, acl_len, 0);
   acl->AclSize = acl_len;
 
   RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);

What do you think?

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Corinna Vinschen]

On Nov  8 20:51, Takashi Yano via Cygwin wrote:
> Hi all,
> 
> On Thu, 8 Aug 2019 15:41:55 +0000
> "Lavrentiev, Anton (NIH/NLM/NCBI) [C] wrote:
> > Hi,
> > 
> > Here's the situation, I have a netmount "Z:" but I cannot make any files on it executable from Cygwin:
> > 
> > $ mount
> > ...
> > Z: on /cygdrive/z type smbfs (binary,posix=0,user,noumount,auto)
> > [...]
> > $ ls -l a.exe
> > -rw-rw-r--+ 1 lavr cppcore 157753 Aug  8 11:29 a.exe
> > [...]
> > $ chmod a+x a.exe
> > [...]
> > $ ls -l a.exe
> > -rw-rw-r--+ 1 lavr cppcore 157753 Aug  8 11:29 a.exe
> > [...]
> > Also, any file that I give the "x" permission from outside Cygwin (e.g. from Linux) on the SMBFS drive "Z:",
> > becomes executable:
> 
> Does anyone know what was the conclusion of this issue?
> I have encountered the same issue and cannot find the
> solution so far.

SMB is really complex, and Samba adds to the complexity.

If the remote drive is a Windows share, check if the server shares the
folder with "Full Control" for everyone.

If the server is a Samba share, check if `force unknown acl user = yes'
and for the share itself, check that

  read only = No
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

Not sure if that helps, but I don't have any other idea.  I'm running
Samba in an AD environment and "it works for me" :-P


Corinna

Re: SMBFS mount's file cannot be made executable

[Takashi Yano]

Hi all,

On Thu, 8 Aug 2019 15:41:55 +0000
"Lavrentiev, Anton (NIH/NLM/NCBI) [C] wrote:
> Hi,
> 
> Here's the situation, I have a netmount "Z:" but I cannot make any files on it executable from Cygwin:
> 
> $ mount
> ...
> Z: on /cygdrive/z type smbfs (binary,posix=0,user,noumount,auto)
> 
> $ cd /cygdrive/z
> 
> $ pwd
> /cygdrive/z
> 
> $ cat a.c
> #include <stdio.h>
> 
> int main()
> {
>     printf("Hello world!\n");
>     return 0;
> }
> 
> $ gcc -Wall a.c
> 
> $ echo $?
> 0
> 
> $ ./a.exe
> -bash: ./a.exe: Permission denied
> 
> $ ls -l a.exe
> -rw-rw-r--+ 1 lavr cppcore 157753 Aug  8 11:29 a.exe
> 
> $ getfacl.exe a.exe
> # file: a.exe
> # owner: lavr
> # group: cppcore
> user::rw-
> user:lavr:rw-
> group::r--
> group:cppcore:r--
> mask::rw-
> other::r--
> 
> $ chmod a+x a.exe
> 
> $ echo $?
> 0
> 
> $ ls -l a.exe
> -rw-rw-r--+ 1 lavr cppcore 157753 Aug  8 11:29 a.exe
> 
> $ getfacl.exe a.exe
> # file: a.exe
> # owner: lavr
> # group: cppcore
> user::rw-
> user:lavr:rw-
> group::r--
> group:cppcore:r--
> mask::rw-
> other::r--
> 
> $ ./a.exe
> -bash: ./a.exe: Permission denied
> 
> What's missing?  How to make the file executable, and why chmod() lies about all-good when it does nothing?
> Any ideas please?
> 
> Thanks!
> 
> P.S. I have another netmount "drive" (U:) which Cygwin identifies as "netapp", and everything works on that drive,
> regarding the execution permission.
> 
> U: on /cygdrive/u type netapp (binary,posix=0,user,noumount,auto)
> 
> Also, any file that I give the "x" permission from outside Cygwin (e.g. from Linux) on the SMBFS drive "Z:",
> becomes executable:
> 
> Cygwin> $ gcc -Wall a.c
> 
> Linux> $ chmod a+x a.exe
> 
> Cygwin> $ ./a.exe
> Hello world!

Does anyone know what was the conclusion of this issue?
I have encountered the same issue and cannot find the
solution so far.


-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

RE: SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 842 bytes --]

Thanks for the hints!

> so...what's your umask?

It's 022.  As far as it's concerned, umask should only be considered when creating a new file, not to affect existing files' modes
(as with the chmod command).  At any rate, the "x" bit in mine is unset, so should not be having the issues what you've seen.

BTW, what's your Samba server's version?  Mine is below:

$ /usr/sbin/smbd -V
Version 4.7.1

Lastly, I mounted the drives via the explorer and they had been marked as "reconnect at login", so they re-mount for me
upon every login and/or after a reboot...  And there have been many of both.

\x03B‹KCB”\x1c›Ø›\x19[H\x1c™\^[ܝ\x1cΈ\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÜ\x1c›Ø›\x19[\Ëš\x1d^[[\x03B‘TNˆ\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÙ˜\KÃB‘^[ØÝ[Y[\x18]\x1a[ÛŽˆ\b\b\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÙ^[ØÜËš\x1d^[[\x03B•[œÝXœØÜšX™H\x1a[™›Îˆ\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÛ[\vÈÝ[œÝXœØÜšX™K\Ú[\^[\x19CBƒB

Re: SMBFS mount's file cannot be made executable

[L A Walsh]

On 2019/08/14 19:00, Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin wrote:
>> This is called by acl_to_any_text, which is called by getfacl.  Any 
>> chance you could try to debug this?
>>     
>
>   
>> I'm about to go on vacation, but I could try to help when I get back.
>>     
>
> I'm headed out of town as well.  But I get this very same EINVAL for any drive (/cygdrive/X)
> except for the local disk C: (the only local drive my PC has):
>
> $ mount
> ...
> S: on /cygdrive/s type netapp (binary,posix=0,user,noumount,auto)
> ...
> U: on /cygdrive/u type netapp (binary,posix=0,user,noumount,auto)
> ...
> Y: on /cygdrive/y type smbfs (binary,posix=0,user,noumount,auto)
>   
----
    BTW, how did you mount those? in explorer, or useing
net use?

    Another question -- what is your umask?

    I noticed some flakeyness with my execute perms as well
but more the opposite.  I tried turned execute "off". and only after
removing all acls, and renaming it to foo.txt could I get rid of execute.

my /etc/fstab shows:
# /etc/fstab
#
#    This file is read once by the first process in a Cygwin process tree.
#    To pick up changes, restart all Cygwin processes.  For a description
#    see https://cygwin.com/cygwin-ug-net/using.html#mount-table

# This is default anyway:
none / cygdrive binary,posix=0,user 0 0
and my mount output shows:
C:/bin on /usr/bin type ntfs (binary,auto)
C:/lib on /usr/lib type ntfs (binary,auto)
C: on / type ntfs (binary,auto)
B: on /b type smbfs (binary,user,noumount,auto)
D: on /d type smbfs (binary,user,noumount,auto)
F: on /f type iso9660 (binary,user,noumount,auto)
H: on /h type smbfs (binary,user,noumount,auto)
I: on /i type smbfs (binary,user,noumount,auto)
M: on /m type smbfs (binary,user,noumount,auto)
P: on /p type smbfs (binary,user,noumount,auto)
R: on /r type smbfs (binary,user,noumount,auto)
S: on /s type smbfs (binary,user,noumount,auto)
T: on /t type smbfs (binary,user,noumount,auto)

-------------------
/tmp> ll foo*
-r-xr-xr-x 1 34323 Feb  3  2017 foo.txt*
/tmp> chmod -x foo.txt
/tmp> ll foo.txt
-r--r--r-- 1 34323 Feb  3  2017 foo.txt
/tmp> cd /h #-- h is an exported samba drive from my server
/h> ll foo.txt
-r--r--r-- 1 34323 Feb  3  2017 foo.txt
/h> +x foo.txt
/h> ll foo.txt
-r-xr-xr-x 1 34323 Feb  3  2017 foo.txt*
---
And it does work (was originally a copy of 'cat.exe')
But notice this :
/h> chmod -x foo.txt
/h> umask 111
/h> ll foo.txt
-r--r--r-- 1 34323 Feb  3  2017 foo.txt
/h> chmod +x foo.txt
/h> ll foo.txt
-r--r--r-- 1 34323 Feb  3  2017 foo.txt


chmod didn't turn on execution flags because I had the execute bit
masked out in my umask.  I change my umask back to my norm:
/h> umask 002
/h> ll foo.txt
-r--r--r-- 1 34323 Feb  3  2017 foo.txt
/h> chmod +x foo.txt
/h> ll foo.txt
-r-xr-xr-x 1 34323 Feb  3  2017 foo.txt*

Now chmod +x works again.

so...what's your umask?




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[L A Walsh]

On 2019/08/14 19:00, Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin wrote:
>> This is called by acl_to_any_text, which is called by getfacl.  Any 
>> chance you could try to debug this?
>>     
>
>   
>> I'm about to go on vacation, but I could try to help when I get back.
>>     
>
> I'm headed out of town as well.  But I get this very same EINVAL for any drive (/cygdrive/X)
> except for the local disk C: (the only local drive my PC has):
>
> $ mount
> ...
> S: on /cygdrive/s type netapp (binary,posix=0,user,noumount,auto)
> ...
> U: on /cygdrive/u type netapp (binary,posix=0,user,noumount,auto)
> ...
> Y: on /cygdrive/y type smbfs (binary,posix=0,user,noumount,auto)
>   
----
    BTW, how did you mount those? in explorer, or useing
net use?

    Another question -- what is your umask?

    I noticed some flakeyness with my execute perms as well
but more the opposite.  I tried turned execute "off". and only after
removing all acls, and renaming it to foo.txt could I get rid of execute.

my /etc/fstab shows:
# /etc/fstab
#
#    This file is read once by the first process in a Cygwin process tree.
#    To pick up changes, restart all Cygwin processes.  For a description
#    see https://cygwin.com/cygwin-ug-net/using.html#mount-table

# This is default anyway:
none / cygdrive binary,posix=0,user 0 0
and my mount output shows:
C:/bin on /usr/bin type ntfs (binary,auto)
C:/lib on /usr/lib type ntfs (binary,auto)
C: on / type ntfs (binary,auto)
B: on /b type smbfs (binary,user,noumount,auto)
D: on /d type smbfs (binary,user,noumount,auto)
F: on /f type iso9660 (binary,user,noumount,auto)
H: on /h type smbfs (binary,user,noumount,auto)
I: on /i type smbfs (binary,user,noumount,auto)
M: on /m type smbfs (binary,user,noumount,auto)
P: on /p type smbfs (binary,user,noumount,auto)
R: on /r type smbfs (binary,user,noumount,auto)
S: on /s type smbfs (binary,user,noumount,auto)
T: on /t type smbfs (binary,user,noumount,auto)

-------------------
/tmp> ll foo*
-r-xr-xr-x 1 34323 Feb  3  2017 foo.txt*
/tmp> chmod -x foo.txt
/tmp> ll foo.txt
-r--r--r-- 1 34323 Feb  3  2017 foo.txt
/tmp> cd /h #-- h is an exported samba drive from my server
/h> ll foo.txt
-r--r--r-- 1 34323 Feb  3  2017 foo.txt
/h> +x foo.txt
/h> ll foo.txt
-r-xr-xr-x 1 34323 Feb  3  2017 foo.txt*
---
And it does work (was originally a copy of 'cat.exe')
But notice this :
/h> chmod -x foo.txt
/h> umask 111
/h> ll foo.txt
-r--r--r-- 1 34323 Feb  3  2017 foo.txt
/h> chmod +x foo.txt
/h> ll foo.txt
-r--r--r-- 1 34323 Feb  3  2017 foo.txt


chmod didn't turn on execution flags because I had the execute bit
masked out in my umask.  I change my umask back to my norm:
/h> umask 002
/h> ll foo.txt
-r--r--r-- 1 34323 Feb  3  2017 foo.txt
/h> chmod +x foo.txt
/h> ll foo.txt
-r-xr-xr-x 1 34323 Feb  3  2017 foo.txt*

Now chmod +x works again.

so...what's your umask?



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Brian Inglis]

On 2019-08-14 19:40, Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin wrote:
>> You can often figure permissions problems

> I already figured where the problem was, in how cygwin convers (or, actually 
> doesn't) the UNIX's "x" bit into the native DAC for the underlying filesystem
> (to store as, again, "x" in the Linux share). 
> Missing that DACL, SMBD returns "Access denied" for an attempt to execute the
> .exe file.>
> I don't think that any of the requested output is of any help or indication, 
> rather than to actually show that the execute permission is missing.
> 
> $ /usr/lib/csih/getVolInfo /cygdrive/z
> Device Type        : 7
> Characteristics    : 10
> Volume Name        : <home>
> Serial Number      : 3112497429
> Max Filenamelength : 255
> Filesystemname     : <NTFS>
> Flags              : 1006f
>   FILE_CASE_SENSITIVE_SEARCH  : TRUE
>   FILE_CASE_PRESERVED_NAMES   : TRUE
>   FILE_UNICODE_ON_DISK        : TRUE
>   FILE_PERSISTENT_ACLS        : TRUE
>   FILE_FILE_COMPRESSION       : FALSE
>   FILE_VOLUME_QUOTAS          : TRUE
>   FILE_SUPPORTS_SPARSE_FILES  : TRUE
>   FILE_SUPPORTS_REPARSE_POINTS: FALSE
>   FILE_SUPPORTS_REMOTE_STORAGE: FALSE
>   FILE_VOLUME_IS_COMPRESSED   : FALSE
>   FILE_SUPPORTS_OBJECT_IDS    : TRUE
>   FILE_SUPPORTS_ENCRYPTION    : FALSE
>   FILE_NAMED_STREAMS          : FALSE
>   FILE_READ_ONLY_VOLUME       : FALSE
>   FILE_SEQUENTIAL_WRITE_ONCE  : FALSE
>   FILE_SUPPORTS_TRANSACTIONS  : FALSE
> 
> $ pwd
> /cygdrive/z
> 
> $ gcc hello.c
> 
> $ /usr/lib/csih/getVolInfo /cygdrive/z/a.exe
> Device Type        : 7
> Characteristics    : 10
> Volume Name        : <home>
> Serial Number      : 3112497429
> Max Filenamelength : 255
> Filesystemname     : <NTFS>
> Flags              : 1006f
>   FILE_CASE_SENSITIVE_SEARCH  : TRUE
>   FILE_CASE_PRESERVED_NAMES   : TRUE
>   FILE_UNICODE_ON_DISK        : TRUE
>   FILE_PERSISTENT_ACLS        : TRUE
>   FILE_FILE_COMPRESSION       : FALSE
>   FILE_VOLUME_QUOTAS          : TRUE
>   FILE_SUPPORTS_SPARSE_FILES  : TRUE
>   FILE_SUPPORTS_REPARSE_POINTS: FALSE
>   FILE_SUPPORTS_REMOTE_STORAGE: FALSE
>   FILE_VOLUME_IS_COMPRESSED   : FALSE
>   FILE_SUPPORTS_OBJECT_IDS    : TRUE
>   FILE_SUPPORTS_ENCRYPTION    : FALSE
>   FILE_NAMED_STREAMS          : FALSE
>   FILE_READ_ONLY_VOLUME       : FALSE
>   FILE_SEQUENTIAL_WRITE_ONCE  : FALSE
>   FILE_SUPPORTS_TRANSACTIONS  : FALSE
> 
> $ ls -dl /cygdrive/z/a.exe
> -rw-rw-r--+ 1 lavr cppcore 157753 Aug 14 21:30 /cygdrive/z/a.exe
> 
> $ getfacl /cygdrive/z/a.exe
> # file: /cygdrive/z/a.exe
> # owner: lavr
> # group: cppcore
> user::rw-
> user:lavr:rw-
> group::r--
> group:cppcore:r--
> mask::rw-
> other::r--
> 
> $ icacls `cygpath -w /cygdrive/z/a.exe`
> Z:\a.exe S-1-22-1-4640:(R,W)
>          S-1-22-2-5333:(R)
>          S-1-22-2-5333:(R)
>          S-1-22-1-4640:(R,W)
>          Everyone:(R)
> 
> Successfully processed 1 files; Failed processing 0 files

Prerequisite for +x is DACL and masks allowing +x on normal file system
directories and executables, as Cyggwin is emulating POSIX D/ACLs using Windows
D/ACLs:

drwxrwxr-x+ 1 SYSTEM SYSTEM 0 Aug 14 18:40 .

# file: .
# owner: SYSTEM
# group: SYSTEM
user::rwx
user:$USER:rwx
group::r-x
group:Administrators:rwx
group:$GROUP:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:$USER:rwx
default:group::---
default:group:Administrators:rwx
default:mask::rwx
default:other::r-x

. NULL SID:(DENY)(Rc,S,REA,WEA,X,DC)
  NT AUTHORITY\SYSTEM:(F)
  $HOSTNAME\$USER:(RX,W,DC)
  NT AUTHORITY\SYSTEM:(RX)
  BUILTIN\Administrators:(RX,W,DC)
  BUILTIN\$GROUP:(RX)
  Everyone:(RX)
  NULL SID:(OI)(CI)(IO)(DENY)(Rc,S,REA,WEA,X,DC)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  $HOSTNAME\$USER:(OI)(CI)(IO)(RX,W,DC)
  CREATOR GROUP:(OI)(CI)(IO)(Rc,S,RA)
  BUILTIN\Administrators:(OI)(CI)(IO)(RX,W,DC)
  CREATOR GROUP:(OI)(CI)(IO)(DENY)(S,RD,REA,X)
  Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files

-rwxr-xr-x+ 1 $USER $GROUP 158443 Aug  3  2018 test.exe
# file: test.exe
# owner: $USER
# group: $GROUP
user::rwx
group::r-x
group:SYSTEM:rwx        #effective:r-x
group:Administrators:rwx        #effective:r-x
mask::r-x
other::r-x

test.exe NULL SID:(DENY)(Rc,S,REA,X,DC)
         $HOSTNAME\$USER:(F)
         BUILTIN\$GROUP:(RX)
         NT AUTHORITY\SYSTEM:(RX,W)
         BUILTIN\Administrators:(RX,W)
         Everyone:(RX)

Successfully processed 1 files; Failed processing 0 files

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

> This is called by acl_to_any_text, which is called by getfacl.  Any 
> chance you could try to debug this?

> I'm about to go on vacation, but I could try to help when I get back.

I'm headed out of town as well.  But I get this very same EINVAL for any drive (/cygdrive/X)
except for the local disk C: (the only local drive my PC has):

$ mount
...
S: on /cygdrive/s type netapp (binary,posix=0,user,noumount,auto)
...
U: on /cygdrive/u type netapp (binary,posix=0,user,noumount,auto)
...
Y: on /cygdrive/y type smbfs (binary,posix=0,user,noumount,auto)
...

$ getfacl /cygdrive/u
# file: /cygdrive/u
# owner: Unknown+User
# group: Unknown+Group
user::rwx
user:lavr:rwx
group::r-x
mask::rwx
other::---
getfacl: /cygdrive/u: Invalid argument

$ getfacl /cygdrive/s
# file: /cygdrive/s
# owner: Unknown+User
# group: Unknown+Group
user::rwx
user:lavr:rwx
group::rwx
mask::rwx
other::---
getfacl: /cygdrive/s: Invalid argument

Everything works fine for the drives U: & S: w.r.t execution.

$ getfacl /cygdrive/y
# file: /cygdrive/y
# owner: lavr
# group: cppcore
user::rwx
group::r-x
other::r-x
getfacl: /cygdrive/y: Invalid argument

Drive "Y:" is a share from Linux that has special ACL flags set (I explained in previous posts):

acl allow execute always = True

making "everything" executable there.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

> You can often figure permissions problems

I already figured where the problem was, in how cygwin convers (or, actually doesn't) the UNIX's "x" bit into
the native DAC for the underlying filesystem (to store as, again, "x" in the Linux share).  Missing that DAC, SMBD
returns "Access denied" for an attempt to execute the .exe file.

I don't think that any of the requested output is of any help or indication, rather than to actually show that the
execute permission is missing.

$ /usr/lib/csih/getVolInfo /cygdrive/z
Device Type        : 7
Characteristics    : 10
Volume Name        : <home>
Serial Number      : 3112497429
Max Filenamelength : 255
Filesystemname     : <NTFS>
Flags              : 1006f
  FILE_CASE_SENSITIVE_SEARCH  : TRUE
  FILE_CASE_PRESERVED_NAMES   : TRUE
  FILE_UNICODE_ON_DISK        : TRUE
  FILE_PERSISTENT_ACLS        : TRUE
  FILE_FILE_COMPRESSION       : FALSE
  FILE_VOLUME_QUOTAS          : TRUE
  FILE_SUPPORTS_SPARSE_FILES  : TRUE
  FILE_SUPPORTS_REPARSE_POINTS: FALSE
  FILE_SUPPORTS_REMOTE_STORAGE: FALSE
  FILE_VOLUME_IS_COMPRESSED   : FALSE
  FILE_SUPPORTS_OBJECT_IDS    : TRUE
  FILE_SUPPORTS_ENCRYPTION    : FALSE
  FILE_NAMED_STREAMS          : FALSE
  FILE_READ_ONLY_VOLUME       : FALSE
  FILE_SEQUENTIAL_WRITE_ONCE  : FALSE
  FILE_SUPPORTS_TRANSACTIONS  : FALSE

$ pwd
/cygdrive/z

$ gcc hello.c

$ /usr/lib/csih/getVolInfo /cygdrive/z/a.exe
Device Type        : 7
Characteristics    : 10
Volume Name        : <home>
Serial Number      : 3112497429
Max Filenamelength : 255
Filesystemname     : <NTFS>
Flags              : 1006f
  FILE_CASE_SENSITIVE_SEARCH  : TRUE
  FILE_CASE_PRESERVED_NAMES   : TRUE
  FILE_UNICODE_ON_DISK        : TRUE
  FILE_PERSISTENT_ACLS        : TRUE
  FILE_FILE_COMPRESSION       : FALSE
  FILE_VOLUME_QUOTAS          : TRUE
  FILE_SUPPORTS_SPARSE_FILES  : TRUE
  FILE_SUPPORTS_REPARSE_POINTS: FALSE
  FILE_SUPPORTS_REMOTE_STORAGE: FALSE
  FILE_VOLUME_IS_COMPRESSED   : FALSE
  FILE_SUPPORTS_OBJECT_IDS    : TRUE
  FILE_SUPPORTS_ENCRYPTION    : FALSE
  FILE_NAMED_STREAMS          : FALSE
  FILE_READ_ONLY_VOLUME       : FALSE
  FILE_SEQUENTIAL_WRITE_ONCE  : FALSE
  FILE_SUPPORTS_TRANSACTIONS  : FALSE

$ ls -dl /cygdrive/z/a.exe
-rw-rw-r--+ 1 lavr cppcore 157753 Aug 14 21:30 /cygdrive/z/a.exe

$ getfacl /cygdrive/z/a.exe
# file: /cygdrive/z/a.exe
# owner: lavr
# group: cppcore
user::rw-
user:lavr:rw-
group::r--
group:cppcore:r--
mask::rw-
other::r--

$ icacls `cygpath -w /cygdrive/z/a.exe`
Z:\a.exe S-1-22-1-4640:(R,W)
         S-1-22-2-5333:(R)
         S-1-22-2-5333:(R)
         S-1-22-1-4640:(R,W)
         Everyone:(R)

Successfully processed 1 files; Failed processing 0 files


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Ken Brown]

On 8/14/2019 4:39 PM, Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin wrote:
> I also showed the "getfacl" output for that file and the directory above, which showed
> nothing additional.

getfacl failed with EINVAL, as you know.  So you can't rely on its output.

Ken

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Ken Brown]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 917 bytes --]

On 8/14/2019 10:07 AM, Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin 
wrote:
>    249   98510 [main] getfacl 3412 __set_errno: char* __acltotext(aclent_t*, int, const char*, char, int):1644 setting errno 22

Here's where the EINVAL is coming from.  The source is in sec_acl.cc:

char *
__acltotext (...)
{
   if (!aclbufp || aclcnt < 0 || aclcnt > MAX_ACL_ENTRIES
       || (aclcnt > 0 && aclsort32 (aclcnt, 0, aclbufp)))
     {
       set_errno (EINVAL);
       return NULL;
     }

This is called by acl_to_any_text, which is called by getfacl.  Any 
chance you could try to debug this?

I'm about to go on vacation, but I could try to help when I get back.

Ken
\x03B‹KCB”\x1c›Ø›\x19[H\x1c™\^[ܝ\x1cΈ\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÜ\x1c›Ø›\x19[\Ëš\x1d^[[\x03B‘TNˆ\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÙ˜\KÃB‘^[ØÝ[Y[\x18]\x1a[ÛŽˆ\b\b\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÙ^[ØÜËš\x1d^[[\x03B•[œÝXœØÜšX™H\x1a[™›Îˆ\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÛ[\vÈÝ[œÝXœØÜšX™K\Ú[\^[\x19CBƒB

Re: SMBFS mount's file cannot be made executable

[Brian Inglis]

On 2019-08-14 05:22, Ken Brown wrote:
> On 8/14/2019 12:23 AM, Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin wrote:
>>> Have you checked the default ACL on the directory containing the file?
>>
>> No, and there's nothing special there now that I checked.  I can change the
>> "Read & Execute" for the .exe file from the Windows file properties without
>> having to deal with anything special or additional (like inherited 
>> permissions), so I don't think the containing directory has anything to do
>> with it.>
> I suspect the containing directory has a lot to do with it.  You shouldn't
> get an "Invalid argument" error below.
> 
>> $ getfacl /cygdrive/z
>> # file: /cygdrive/z
>> # owner: lavr
>> # group: cppcore
>> user::rwx
>> group::r-x
>> other::r-x
>> getfacl: /cygdrive/z: Invalid argument
> 
> Running getfacl under strace might provide a clue as to what the problem is. 
> You could also try running /usr/lib/csih/getVolInfo.exe on that directory.

Running getVolInfo shows you supported operations and options:

$ /usr/lib/csih/getVolInfo "$exe"
Device Type        : 7
Characteristics    : 20020
Volume Name        : <VOLUMENAME>
Serial Number      : 112776248
Max Filenamelength : 255
Filesystemname     : <NTFS>
Flags              : 3e706ff
  FILE_CASE_SENSITIVE_SEARCH  : TRUE
  FILE_CASE_PRESERVED_NAMES   : TRUE
  FILE_UNICODE_ON_DISK        : TRUE
  FILE_PERSISTENT_ACLS        : TRUE
  FILE_FILE_COMPRESSION       : TRUE
  FILE_VOLUME_QUOTAS          : TRUE
  FILE_SUPPORTS_SPARSE_FILES  : TRUE
  FILE_SUPPORTS_REPARSE_POINTS: TRUE
  FILE_SUPPORTS_REMOTE_STORAGE: FALSE
  FILE_VOLUME_IS_COMPRESSED   : FALSE
  FILE_SUPPORTS_OBJECT_IDS    : TRUE
  FILE_SUPPORTS_ENCRYPTION    : TRUE
  FILE_NAMED_STREAMS          : TRUE
  FILE_READ_ONLY_VOLUME       : FALSE
  FILE_SEQUENTIAL_WRITE_ONCE  : FALSE
  FILE_SUPPORTS_TRANSACTIONS  : TRUE

You can often figure permissions problems out yourself by looking at the outputs
from:

	$ ls --color=auto -dl "$exe"
	$ getfacl "$exe"
	$ icacls "$(cygpath -m ""$exe"")"

and correlating the info, perhaps also with the same commands executed on the
containing directory.

If you post those output from your system, other may be able to help you.

To first approximations: all file access problems are permissions problems; and
all programming problems are application programmer array access problems. ;^>
You have to first totally eliminate all possibilities of those, before you
should bother looking at other prossible causes.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

> See the '+' at the end of the modes?

I saw that, and I also showed the "getfacl" output for that file and the directory above, which showed
nothing additional.

> Maybe, but we'd still need to know how to get to the result you're seeing.

Just take a samba server (4.x) and mount a share with default settings on your Windows box; then
try to change the execute permissions for files in there from Cygwin's shell, using chmod -- the simplest.

> I hope it's clear to you that the permissions you see on this tab have
> nothing to do with the POSIX mode bits you're trying to set from Cygwin.

That is completely untrue;  the underlying filesystem is still controlled by the OS (Windows) in either case.
When the "x" permission is set from under Cygwin, it has to get converted (inside the Cygwin dll) to an appropriate
DAC for the native file system layer.  That DAC is then sent to the samba server (in case of the smb filesystem),
which then either converts it back to the "x" permission (when the SMBD is on Linux) or stores it on the target
filesystem, if that's a Windows box.

And it works the similar way in the reverse:  when a file stat is requested from Cygwin, the SMBD gets the "x" bit,
converts it to SMB response (native for Windows DAC for "execute") and sends it back to Windows box,
which is then read by Cygwin DLL and gets shown as "x" bit in the POSIX mode.  When I just use the file properties
dialog, I bypass only one step in the chains I just described, Cygwin DLL.  And it works by setting the "x" bit
on the server side (Linux).  So, that's how I know that something's off in how Cygwin treats that "x" permission
when asked to set it on a file.

When Windows is about to run an .exe file, it consults the filesystem whether the execute DAC is set.
In case of SMBD 4.x, the filesystem will respond "Access denied" if the "x" permission is not found.
It used to say "okay" in the previous versions.  I quoted the report:

https://forge.univention.org/bugzilla/show_bug.cgi?id=33785

So when I asked my Systems guys that the share to be exported with 

acl allow execute always = True

I can now execute any files (even those whose "x" bits are not set at all! -- SMBD clears everything to execute,
which is madness).  Well, that works around the issue for me, but the question remains as to why when "chmod +x" is given,
Cygwin does not cause the "x" permission to be set on the target file if that file resides on smbfs.
I suspect there are no provisions in code to do that, but I may be wrong.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Andrey Repin]

Greetings, Lavrentiev, Anton (NIH/NLM/NCBI) [C]!

>> What is your cygdrive mount options? Because default is, apparently, "binary,posix=0,user".

> I have no idea where they are kept at, and how to change them.

This is, as I said, the DEFAULT.
To change them, edit /etc/fstab, add the desired line.
F.e.

none /cygdrive cygdrive binary,posix=0,nouser 0 0

> Also, I couldn't make this work, anyways; yet I thought it should have worked:

>> > $ mount -o exec //coredev2/home/lavr /mnt
>> > $ mount
>> > //coredev2/home/lavr on /mnt type smbfs (binary,exec,user)
>> > ...
>> > $ cd /mnt
>> > $ pwd
>> > /mnt
>> > $ gcc a.c
>> > $ ls -l a.exe
>> > -rw-rw-r--+ 1 lavr cppcore 157753 Aug 13 08:20 a.exe
>> > $ ./a.exe
>> > -bash: ./a.exe: Permission denied


-- 
With best regards,
Andrey Repin
Wednesday, August 14, 2019 22:50:18

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

> I suspect the containing directory has a lot to do with it.

Please elaborate what you ground your suspicion on.

Like I said previously, I can add "Read & Execute" permissions to the file in question from the Windows
file properties dialog, and it gets converted to an "x" on Linux side, then the file becomes executable
from on Windows (from either within a Cygwin shell or outside).

AFAICT, there's nothing in strace (follows) rather than trying to get info on "Z:" twice.

$ strace getfacl /cygdrive/z
--- Process 3412 created
--- Process 3412 loaded C:\Windows\System32\ntdll.dll at 00007ffcdea70000
--- Process 3412 loaded C:\Windows\System32\kernel32.dll at 00007ffcdde60000
--- Process 3412 loaded C:\Windows\System32\KernelBase.dll at 00007ffcdbbe0000
--- Process 3412 thread 2912 created
--- Process 3412 loaded C:\Cygwin64\bin\cygwin1.dll at 0000000180040000
    2       2 [main] getfacl (3412) **********************************************
   48      50 [main] getfacl (3412) Program name: C:\Cygwin64\bin\getfacl.exe (windows pid 3412)
   25      75 [main] getfacl (3412) OS version:   Windows NT-10.0
   23      98 [main] getfacl (3412) **********************************************
--- Process 3412 loaded C:\Windows\System32\advapi32.dll at 00007ffcde990000
--- Process 3412 loaded C:\Windows\System32\msvcrt.dll at 00007ffcddd20000
--- Process 3412 loaded C:\Windows\System32\sechost.dll at 00007ffcdd800000
--- Process 3412 loaded C:\Windows\System32\rpcrt4.dll at 00007ffcde800000
--- Process 3412 thread 2120 created
--- Process 3412 loaded C:\Windows\System32\cryptbase.dll at 00007ffcda7d0000
--- Process 3412 loaded C:\Windows\System32\bcryptprimitives.dll at 00007ffcdbe60000
 3732    3830 [main] getfacl (3412) sigprocmask: 0 = sigprocmask (0, 0x0, 0x1802FBC50)
  630    4460 [main] getfacl 3412 open_shared: name shared.5, n 5, shared 0x180030000 (wanted 0x180030000), h 0xC8, *m 6
  193    4653 [main] getfacl 3412 user_heap_info::init: heap base 0x600000000, heap top 0x600000000, heap size 0x20000000 (536870912)
  227    4880 [main] getfacl 3412 open_shared: name S-1-5-21-2137354491-1741569864-122644288-1606.1, n 1, shared 0x180020000 (wanted 0x180020000), h 0xC4, *m 6
  162    5042 [main] getfacl 3412 user_info::create: opening user shared for 'S-1-5-21-2137354491-1741569864-122644288-1606' at 0x180020000
  245    5287 [main] getfacl 3412 user_info::create: user shared version AB1FCCE8
  178    5465 [main] getfacl 3412 fhandler_pipe::create: name \\.\pipe\cygwin-e022582115c10879-3412-sigwait, size 11440, mode PIPE_TYPE_MESSAGE
   55    5520 [main] getfacl 3412 fhandler_pipe::create: pipe read handle 0xDC
   24    5544 [main] getfacl 3412 fhandler_pipe::create: CreateFile: name \\.\pipe\cygwin-e022582115c10879-3412-sigwait
  118    5662 [main] getfacl 3412 fhandler_pipe::create: pipe write handle 0xE0
  195    5857 [main] getfacl 3412 dll_crt0_0: finished dll_crt0_0 initialization
--- Process 3412 thread 20940 created
  932    6789 [main] getfacl 3412 time: 1565789069 = time(0x0)
   29    6818 [sig] getfacl 3412 wait_sig: entering ReadFile loop, my_readsig 0xDC, my_sendsig 0xE0
  155    6973 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (\\coredev2\home\lavr, 0x0, no-add-slash)
  208    7181 [main] getfacl 3412 normalize_win32_path: \\coredev2\home\lavr = normalize_win32_path (\\coredev2\home\lavr)
  116    7297 [main] getfacl 3412 mount_info::conv_to_posix_path: /mnt = conv_to_posix_path (\\coredev2\home\lavr)
  167    7464 [main] getfacl 3412 sigprocmask: 0 = sigprocmask (0, 0x0, 0x600018130)
  318    7782 [main] getfacl 3412 _cygwin_istext_for_stdio: fd 0: not open
  109    7891 [main] getfacl 3412 _cygwin_istext_for_stdio: fd 1: not open
  118    8009 [main] getfacl 3412 _cygwin_istext_for_stdio: fd 2: not open
  368    8377 [main] getfacl (3412) open_shared: name cygpid.3412, n 3412, shared 0x180010000 (wanted 0x180010000), h 0x108, *m 2
  188    8565 [main] getfacl (3412) time: 1565789069 = time(0x0)
  150    8715 [main] getfacl 3412 pinfo::thisproc: myself dwProcessId 3412
  122    8837 [main] getfacl 3412 environ_init: GetEnvironmentStrings returned 0x113B10
  626    9463 [main] getfacl 3412 win32env_to_cygenv: 0x6000284F0: ADVISOR_2018_DIR=C:\Program Files (x86)\IntelSWTools\Advisor 2018\
   80    9543 [main] getfacl 3412 win32env_to_cygenv: 0x600028540: ADVISOR_2019_DIR=C:\Program Files (x86)\IntelSWTools\Advisor 2019\
  111    9654 [main] getfacl 3412 win32env_to_cygenv: 0x600028590: ALLUSERSPROFILE=C:\ProgramData
  194    9848 [main] getfacl 3412 win32env_to_cygenv: 0x6000285C0: APPDATA=C:\Users\lavr\AppData\Roaming
  170   10018 [main] getfacl 3412 win32env_to_cygenv: 0x6000285F0: BLASTDB=\\snowman\blast\db\blast
  234   10252 [main] getfacl 3412 win32env_to_cygenv: 0x600028620: COMMONPROGRAMFILES=C:\Program Files\Common Files
  322   10574 [main] getfacl 3412 win32env_to_cygenv: 0x600028660: COMPUTERNAME=NCBIPC9135
   71   10645 [main] getfacl 3412 win32env_to_cygenv: 0x600028680: COMSPEC=C:\WINDOWS\system32\cmd.exe
   68   10713 [main] getfacl 3412 parse_options: glob (called func)
   96   10809 [main] getfacl 3412 parse_options: nodosfilewarning
   90   10899 [main] getfacl 3412 parse_options: returning
   24   10923 [main] getfacl 3412 win32env_to_cygenv: 0x6000286B0: CYGWIN=noglob nodosfilewarning
   48   10971 [main] getfacl 3412 win32env_to_cygenv: 0x600028720: CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
  209   11180 [main] getfacl 3412 win32env_to_cygenv: 0x600028770: CommonProgramW6432=C:\Program Files\Common Files
  326   11506 [main] getfacl 3412 win32env_to_cygenv: 0x6000287B0: DriverData=C:\Windows\System32\Drivers\DriverData
  391   11897 [main] getfacl 3412 win32env_to_cygenv: 0x6000287F0: EXECIGNORE=*.dll
  287   12184 [main] getfacl 3412 getwinenv: can't set native for HOME= since no environ yet
  175   12359 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Cygwin64\home\lavr, 0x10000000, no-add-slash)
  154   12513 [main] getfacl 3412 normalize_win32_path: C:\Cygwin64\home\lavr = normalize_win32_path (C:\Cygwin64\home\lavr)
  145   12658 [main] getfacl 3412 mount_info::conv_to_posix_path: /home/lavr = conv_to_posix_path (C:\Cygwin64\home\lavr)
  345   13003 [main] getfacl 3412 win_env::add_cache: posix /home/lavr
  245   13248 [main] getfacl 3412 win_env::add_cache: native HOME=C:\Cygwin64\home\lavr
  170   13418 [main] getfacl 3412 posify_maybe: env var converted to HOME=/home/lavr
  340   13758 [main] getfacl 3412 win32env_to_cygenv: 0x600028890: HOME=/home/lavr
  185   13943 [main] getfacl 3412 win32env_to_cygenv: 0x600028810: HOMEDRIVE=U:
  200   14143 [main] getfacl 3412 win32env_to_cygenv: 0x6000288B0: HOMEPATH=\
  176   14319 [main] getfacl 3412 win32env_to_cygenv: 0x6000288D0: HOMESHARE=\\snowman\lavr
  168   14487 [main] getfacl 3412 win32env_to_cygenv: 0x600028900: HOSTNAME=NCBIPC9135
  174   14661 [main] getfacl 3412 win32env_to_cygenv: 0x600028920: ICPP_COMPILER18=C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2018.1.156\windows\
  184   14845 [main] getfacl 3412 win32env_to_cygenv: 0x600028990: ICPP_COMPILER19=C:\Program Files (x86)\IntelSWTools\compilers_and_libraries_2019.1.144\windows\
  178   15023 [main] getfacl 3412 win32env_to_cygenv: 0x600028A00: INFOPATH=/usr/local/info:/usr/share/info:/usr/info
  213   15236 [main] getfacl 3412 win32env_to_cygenv: 0x600028A40: INSPECTOR_2018_DIR=C:\Program Files (x86)\IntelSWTools\Inspector 2018\
  182   15418 [main] getfacl 3412 win32env_to_cygenv: 0x600028A90: INSPECTOR_2019_DIR=C:\Program Files (x86)\IntelSWTools\Inspector 2019\
  171   15589 [main] getfacl 3412 win32env_to_cygenv: 0x600028AE0: INTELGTDEBUGGERROOT=C:\Program Files (x86)\IntelSWTools\debugger_2018\gdb\intel64_igfx\
  183   15772 [main] getfacl 3412 win32env_to_cygenv: 0x600028B40: INTEL_DEV_REDIST=C:\Program Files (x86)\Common Files\Intel\Shared Libraries\
  174   15946 [main] getfacl 3412 win32env_to_cygenv: 0x600028BA0: INTEL_LICENSE_FILE=C:\Program Files (x86)\Common Files\Intel\Licenses
  208   16154 [main] getfacl 3412 win32env_to_cygenv: 0x600028BF0: LANG=en_US.UTF-8
  180   16334 [main] getfacl 3412 win32env_to_cygenv: 0x600028C10: LOCALAPPDATA=C:\Users\lavr\AppData\Local
  166   16500 [main] getfacl 3412 win32env_to_cygenv: 0x600028C50: LOGONSERVER=\\NCBIDC01
  173   16673 [main] getfacl 3412 win32env_to_cygenv: 0x600028C70: MIC_LD_LIBRARY_PATH=C:\Program Files (x86)\Common Files\Intel\Shared Libraries\compiler\lib\intel64_win_mic
  178   16851 [main] getfacl 3412 win32env_to_cygenv: 0x600028CF0: MINTTY_SHORTCUT=/cygdrive/c/Users/lavr/Desktop/Cygwin64 Terminal.lnk
  169   17020 [main] getfacl 3412 win32env_to_cygenv: 0x600028D40: MSMPI_BIN=C:\Program Files\Microsoft MPI\Bin\
  186   17206 [main] getfacl 3412 win32env_to_cygenv: 0x600028D80: NCBI=\\snowman\win-coremake
  172   17378 [main] getfacl 3412 win32env_to_cygenv: 0x600028DB0: NUMBER_OF_PROCESSORS=8
  192   17570 [main] getfacl 3412 win32env_to_cygenv: 0x600028DD0: OLDPWD=/home/lavr
  192   17762 [main] getfacl 3412 win32env_to_cygenv: 0x600028DF0: ORIGINAL_PATH=/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/compiler:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/compiler:/cygdrive/c/Program Files/VanDyke Software/Clients:/cygdrive/c/Program Files (x86)/CollabNet/Subversion Client:/cygdrive/c/Program Files (x86)/Common Files/Oracle/Java/javapath:/cygdrive/c/Program Files (x86)/CVSNT:/cygdrive/c/Program Files/Microsoft MPI/Bin:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/compiler:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/compiler:/cygdrive/c/Program Files/Perl64/site/bin:/cygdrive/c/Program Files/Perl64/bin:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0:/cygdrive/c/Program Files (x86)/HID Global/ActivClient:/cygdrive/c/Program Files/HID Global/ActivClient:/cygdrive/c/WINDOWS/System32/OpenSSH:/cygdrive/c/Program Files/TortoiseSVN/bin:/cygdrive/c/Program Files/TortoiseGit/bin:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/Client SDK/ODBC/130/Tools/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/Tools/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/DTS/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/Tools/Binn/ManagementStudio:/cygdrive/c/Program Files (x86)/WebEx/Productivity Tools:/cygdrive/c/Program Files (x86)/Windows Kits/10/Windows Performance Toolkit:/cygdrive/c/Program Files/Git/cmd:/cygdrive/c/Users/lavr/AppData/Local/Microsoft/WindowsApps://SNOWMAN/Win-coremake/scripts/bin:/cygdrive/c/Apps/User_Installs/SYSINTERNALS
  125   17887 [main] getfacl 3412 win32env_to_cygenv: 0x600029610: OS=Windows_NT
  219   18106 [main] getfacl 3412 win32env_to_cygenv: 0x600029630: OneDrive=C:\Users\Administrator\OneDrive
  182   18288 [main] getfacl 3412 getwinenv: can't set native for PATH= since no environ yet
  201   18489 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Cygwin64\usr\local\bin, 0x10000100, no-add-slash)
  114   18603 [main] getfacl 3412 normalize_win32_path: C:\Cygwin64\usr\local\bin = normalize_win32_path (C:\Cygwin64\usr\local\bin)
  104   18707 [main] getfacl 3412 mount_info::conv_to_posix_path: /usr/local/bin = conv_to_posix_path (C:\Cygwin64\usr\local\bin)
  104   18811 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Cygwin64\bin, 0x10000100, no-add-slash)
  114   18925 [main] getfacl 3412 normalize_win32_path: C:\Cygwin64\bin = normalize_win32_path (C:\Cygwin64\bin)
  121   19046 [main] getfacl 3412 mount_info::conv_to_posix_path: /usr/bin = conv_to_posix_path (C:\Cygwin64\bin)
  115   19161 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\mpirt, 0x10000100, no-add-slash)
  105   19266 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\mpirt = normalize_win32_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\mpirt)
  108   19374 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/mpirt = conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\mpirt)
  100   19474 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\mpirt, 0x10000100, no-add-slash)
  102   19576 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\mpirt = normalize_win32_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\mpirt)
  105   19681 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/mpirt = conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\mpirt)
  113   19794 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\compiler, 0x10000100, no-add-slash)
  106   19900 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\compiler = normalize_win32_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\compiler)
  114   20014 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/compiler = conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\compiler)
  152   20166 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\compiler, 0x10000100, no-add-slash)
  102   20268 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\compiler = normalize_win32_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\compiler)
  103   20371 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/compiler = conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\compiler)
  107   20478 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files\VanDyke Software\Clients, 0x10000100, no-add-slash)
   88   20566 [main] getfacl 3412 normalize_win32_path: C:\Program Files\VanDyke Software\Clients = normalize_win32_path (C:\Program Files\VanDyke Software\Clients)
  104   20670 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files/VanDyke Software/Clients = conv_to_posix_path (C:\Program Files\VanDyke Software\Clients)
   87   20757 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\CollabNet\Subversion Client, 0x10000100, no-add-slash)
  103   20860 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\CollabNet\Subversion Client = normalize_win32_path (C:\Program Files (x86)\CollabNet\Subversion Client)
  106   20966 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/CollabNet/Subversion Client = conv_to_posix_path (C:\Program Files (x86)\CollabNet\Subversion Client)
  140   21106 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Common Files\Oracle\Java\javapath, 0x10000100, no-add-slash)
   93   21199 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Common Files\Oracle\Java\javapath = normalize_win32_path (C:\Program Files (x86)\Common Files\Oracle\Java\javapath)
  121   21320 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Common Files/Oracle/Java/javapath = conv_to_posix_path (C:\Program Files (x86)\Common Files\Oracle\Java\javapath)
  108   21428 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\CVSNT, 0x10000100, no-add-slash)
   84   21512 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\CVSNT = normalize_win32_path (C:\Program Files (x86)\CVSNT)
  107   21619 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/CVSNT = conv_to_posix_path (C:\Program Files (x86)\CVSNT)
  103   21722 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files\Microsoft MPI\Bin, 0x10000100, no-add-slash)
   90   21812 [main] getfacl 3412 normalize_win32_path: C:\Program Files\Microsoft MPI\Bin = normalize_win32_path (C:\Program Files\Microsoft MPI\Bin)
  103   21915 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files/Microsoft MPI/Bin = conv_to_posix_path (C:\Program Files\Microsoft MPI\Bin)
  135   22050 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\mpirt, 0x10000100, no-add-slash)
   98   22148 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\mpirt = normalize_win32_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\mpirt)
   86   22234 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/mpirt = conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\mpirt)
  103   22337 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\mpirt, 0x10000100, no-add-slash)
  103   22440 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\mpirt = normalize_win32_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\mpirt)
  100   22540 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/mpirt = conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\mpirt)
  103   22643 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\compiler, 0x10000100, no-add-slash)
   97   22740 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\compiler = normalize_win32_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\compiler)
  106   22846 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/compiler = conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\compiler)
  103   22949 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\compiler, 0x10000100, no-add-slash)
  148   23097 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\compiler = normalize_win32_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\compiler)
  106   23203 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/compiler = conv_to_posix_path (C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\compiler)
  116   23319 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files\Perl64\site\bin, 0x10000100, no-add-slash)
  103   23422 [main] getfacl 3412 normalize_win32_path: C:\Program Files\Perl64\site\bin = normalize_win32_path (C:\Program Files\Perl64\site\bin)
  100   23522 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files/Perl64/site/bin = conv_to_posix_path (C:\Program Files\Perl64\site\bin)
  103   23625 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files\Perl64\bin, 0x10000100, no-add-slash)
  115   23740 [main] getfacl 3412 normalize_win32_path: C:\Program Files\Perl64\bin = normalize_win32_path (C:\Program Files\Perl64\bin)
  104   23844 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files/Perl64/bin = conv_to_posix_path (C:\Program Files\Perl64\bin)
  105   23949 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\WINDOWS\system32, 0x10000100, no-add-slash)
  114   24063 [main] getfacl 3412 normalize_win32_path: C:\WINDOWS\system32 = normalize_win32_path (C:\WINDOWS\system32)
   95   24158 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/WINDOWS/system32 = conv_to_posix_path (C:\WINDOWS\system32)
   98   24256 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\WINDOWS, 0x10000100, no-add-slash)
   85   24341 [main] getfacl 3412 normalize_win32_path: C:\WINDOWS = normalize_win32_path (C:\WINDOWS)
   97   24438 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/WINDOWS = conv_to_posix_path (C:\WINDOWS)
  131   24569 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\WINDOWS\System32\Wbem, 0x10000100, no-add-slash)
   96   24665 [main] getfacl 3412 normalize_win32_path: C:\WINDOWS\System32\Wbem = normalize_win32_path (C:\WINDOWS\System32\Wbem)
   98   24763 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/WINDOWS/System32/Wbem = conv_to_posix_path (C:\WINDOWS\System32\Wbem)
  110   24873 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\WINDOWS\System32\WindowsPowerShell\v1.0, 0x10000100, no-add-slash)
  106   24979 [main] getfacl 3412 normalize_win32_path: C:\WINDOWS\System32\WindowsPowerShell\v1.0 = normalize_win32_path (C:\WINDOWS\System32\WindowsPowerShell\v1.0)
  121   25100 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0 = conv_to_posix_path (C:\WINDOWS\System32\WindowsPowerShell\v1.0)
  113   25213 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\HID Global\ActivClient, 0x10000100, no-add-slash)
  114   25327 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\HID Global\ActivClient = normalize_win32_path (C:\Program Files (x86)\HID Global\ActivClient)
  104   25431 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/HID Global/ActivClient = conv_to_posix_path (C:\Program Files (x86)\HID Global\ActivClient)
  103   25534 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files\HID Global\ActivClient, 0x10000100, no-add-slash)
   98   25632 [main] getfacl 3412 normalize_win32_path: C:\Program Files\HID Global\ActivClient = normalize_win32_path (C:\Program Files\HID Global\ActivClient)
  102   25734 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files/HID Global/ActivClient = conv_to_posix_path (C:\Program Files\HID Global\ActivClient)
   89   25823 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\WINDOWS\System32\OpenSSH, 0x10000100, no-add-slash)
  110   25933 [main] getfacl 3412 normalize_win32_path: C:\WINDOWS\System32\OpenSSH = normalize_win32_path (C:\WINDOWS\System32\OpenSSH)
  179   26112 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/WINDOWS/System32/OpenSSH = conv_to_posix_path (C:\WINDOWS\System32\OpenSSH)
  122   26234 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files\TortoiseSVN\bin, 0x10000100, no-add-slash)
  106   26340 [main] getfacl 3412 normalize_win32_path: C:\Program Files\TortoiseSVN\bin = normalize_win32_path (C:\Program Files\TortoiseSVN\bin)
   95   26435 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files/TortoiseSVN/bin = conv_to_posix_path (C:\Program Files\TortoiseSVN\bin)
  105   26540 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files\TortoiseGit\bin, 0x10000100, no-add-slash)
   93   26633 [main] getfacl 3412 normalize_win32_path: C:\Program Files\TortoiseGit\bin = normalize_win32_path (C:\Program Files\TortoiseGit\bin)
  109   26742 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files/TortoiseGit/bin = conv_to_posix_path (C:\Program Files\TortoiseGit\bin)
   92   26834 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn, 0x10000100, no-add-slash)
  124   26958 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn = normalize_win32_path (C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn)
  115   27073 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Microsoft SQL Server/Client SDK/ODBC/130/Tools/Binn = conv_to_posix_path (C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn)
   85   27158 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn, 0x10000100, no-add-slash)
  102   27260 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn = normalize_win32_path (C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn)
  117   27377 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/Tools/Binn = conv_to_posix_path (C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn)
  103   27480 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Microsoft SQL Server\140\DTS\Binn, 0x10000100, no-add-slash)
  123   27603 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Microsoft SQL Server\140\DTS\Binn = normalize_win32_path (C:\Program Files (x86)\Microsoft SQL Server\140\DTS\Binn)
  114   27717 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/DTS/Binn = conv_to_posix_path (C:\Program Files (x86)\Microsoft SQL Server\140\DTS\Binn)
   96   27813 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio, 0x10000100, no-add-slash)
  103   27916 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio = normalize_win32_path (C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio)
  138   28054 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/Tools/Binn/ManagementStudio = conv_to_posix_path (C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio)
   99   28153 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\WebEx\Productivity Tools, 0x10000100, no-add-slash)
   24   28177 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\WebEx\Productivity Tools = normalize_win32_path (C:\Program Files (x86)\WebEx\Productivity Tools)
   53   28230 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/WebEx/Productivity Tools = conv_to_posix_path (C:\Program Files (x86)\WebEx\Productivity Tools)
   47   28277 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit, 0x10000100, no-add-slash)
  150   28427 [main] getfacl 3412 normalize_win32_path: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit = normalize_win32_path (C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit)
  105   28532 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files (x86)/Windows Kits/10/Windows Performance Toolkit = conv_to_posix_path (C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit)
  102   28634 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Program Files\Git\cmd, 0x10000100, no-add-slash)
   32   28666 [main] getfacl 3412 normalize_win32_path: C:\Program Files\Git\cmd = normalize_win32_path (C:\Program Files\Git\cmd)
   22   28688 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Program Files/Git/cmd = conv_to_posix_path (C:\Program Files\Git\cmd)
   24   28712 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Users\lavr\AppData\Local\Microsoft\WindowsApps, 0x10000100, no-add-slash)
   24   28736 [main] getfacl 3412 normalize_win32_path: C:\Users\lavr\AppData\Local\Microsoft\WindowsApps = normalize_win32_path (C:\Users\lavr\AppData\Local\Microsoft\WindowsApps)
  126   28862 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Users/lavr/AppData/Local/Microsoft/WindowsApps = conv_to_posix_path (C:\Users\lavr\AppData\Local\Microsoft\WindowsApps)
  104   28966 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (\\SNOWMAN\Win-coremake\scripts\bin, 0x10000100, no-add-slash)
  133   29099 [main] getfacl 3412 normalize_win32_path: \\SNOWMAN\Win-coremake\scripts\bin = normalize_win32_path (\\SNOWMAN\Win-coremake\scripts\bin)
  106   29205 [main] getfacl 3412 mount_info::conv_to_posix_path: //SNOWMAN/Win-coremake/scripts/bin = conv_to_posix_path (\\SNOWMAN\Win-coremake\scripts\bin)
  105   29310 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Apps\User_Installs\SYSINTERNALS, 0x10000100, no-add-slash)
  102   29412 [main] getfacl 3412 normalize_win32_path: C:\Apps\User_Installs\SYSINTERNALS = normalize_win32_path (C:\Apps\User_Installs\SYSINTERNALS)
  108   29520 [main] getfacl 3412 mount_info::conv_to_posix_path: /cygdrive/c/Apps/User_Installs/SYSINTERNALS = conv_to_posix_path (C:\Apps\User_Installs\SYSINTERNALS)
  251   29771 [main] getfacl 3412 win_env::add_cache: posix /usr/local/bin:/usr/bin:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/compiler:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/compiler:/cygdrive/c/Program Files/VanDyke Software/Clients:/cygdrive/c/Program Files (x86)/CollabNet/Subversion Client:/cygdrive/c/Program Files (x86)/Common Files/Oracle/Java/javapath:/cygdrive/c/Program Files (x86)/CVSNT:/cygdrive/c/Program Files/Microsoft MPI/Bin:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/compiler:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/compiler:/cygdrive/c/Program Files/Perl64/site/bin:/cygdrive/c/Program Files/Perl64/bin:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0:/cygdrive/c/Program Files (x86)/HID Global/ActivClient:/cygdrive/c/Program Files/HID Global/ActivClient:/cygdrive/c/WINDOWS/System32/OpenSSH:/cygdrive/c/Program Files/TortoiseSVN/bin:/cygdrive/c/Program Files/TortoiseGit/bin:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/Client SDK/ODBC/130/Tools/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/Tools/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/DTS/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/Tools/Binn/ManagementStudio:/cygdrive/c/Program Files (x86)/WebEx/Productivity Tools:/cygdrive/c/Program Files (x86)/Windows Kits/10/Windows Performance Toolkit:/cygdrive/c/Program Files/Git/cmd:/cygdrive/c/Users/lavr/AppData/Local/Microsoft/WindowsApps://SNOWMAN/Win-coremake/scripts/bin:/cygdrive/c/Apps/User_Installs/SYSINTERNALS
  127   29898 [main] getfacl 3412 win_env::add_cache: native PATH=C:\Cygwin64\usr\local\bin;C:\Cygwin64\bin;C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\mpirt;C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\mpirt;C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\compiler;C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\compiler;C:\Program Files\VanDyke Software\Clients;C:\Program Files (x86)\CollabNet\Subversion Client;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Program Files (x86)\CVSNT;C:\Program Files\Microsoft MPI\Bin;C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\mpirt;C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\mpirt;C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64_win\compiler;C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\ia32_win\compiler;C:\Program Files\Perl64\site\bin;C:\Program Files\Perl64\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0;C:\Program Files (x86)\HID Global\ActivClient;C:\Program Files\HID Global\ActivClient;C:\WINDOWS\System32\OpenSSH;C:\Program Files\TortoiseSVN\bin;C:\Program Files\TortoiseGit\bin;C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn;C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn;C:\Program Files (x86)\Microsoft SQL Server\140\DTS\Binn;C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio;C:\Program Files (x86)\WebEx\Productivity Tools;C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit;C:\Program Files\Git\cmd;C:\Users\lavr\AppData\Local\Microsoft\WindowsApps;\\SNOWMAN\Win-coremake\scripts\bin;C:\Apps\User_Installs\SYSINTERNALS
  150   30048 [main] getfacl 3412 posify_maybe: env var converted to PATH=/usr/local/bin:/usr/bin:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/compiler:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/compiler:/cygdrive/c/Program Files/VanDyke Software/Clients:/cygdrive/c/Program Files (x86)/CollabNet/Subversion Client:/cygdrive/c/Program Files (x86)/Common Files/Oracle/Java/javapath:/cygdrive/c/Program Files (x86)/CVSNT:/cygdrive/c/Program Files/Microsoft MPI/Bin:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/compiler:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/compiler:/cygdrive/c/Program Files/Perl64/site/bin:/cygdrive/c/Program Files/Perl64/bin:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0:/cygdrive/c/Program Files (x86)/HID Global/ActivClient:/cygdrive/c/Program Files/HID Global/ActivClient:/cygdrive/c/WINDOWS/System32/OpenSSH:/cygdrive/c/Program Files/TortoiseSVN/bin:/cygdrive/c/Program Files/TortoiseGit/bin:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/Client SDK/ODBC/130/Tools/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/Tools/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/DTS/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/Tools/Binn/ManagementStudio:/cygdrive/c/Program Files (x86)/WebEx/Productivity Tools:/cygdrive/c/Program Files (x86)/Windows Kits/10/Windows Performance Toolkit:/cygdrive/c/Program Files/Git/cmd:/cygdrive/c/Users/lavr/AppData/Local/Microsoft/WindowsApps://SNOWMAN/Win-coremake/scripts/bin:/cygdrive/c/Apps/User_Installs/SYSINTERNALS
  282   30330 [main] getfacl 3412 win32env_to_cygenv: 0x60003ACD0: PATH=/usr/local/bin:/usr/bin:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/compiler:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/compiler:/cygdrive/c/Program Files/VanDyke Software/Clients:/cygdrive/c/Program Files (x86)/CollabNet/Subversion Client:/cygdrive/c/Program Files (x86)/Common Files/Oracle/Java/javapath:/cygdrive/c/Program Files (x86)/CVSNT:/cygdrive/c/Program Files/Microsoft MPI/Bin:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/mpirt:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/intel64_win/compiler:/cygdrive/c/Program Files (x86)/Common Files/Intel/Shared Libraries/redist/ia32_win/compiler:/cygdrive/c/Program Files/Perl64/site/bin:/cygdrive/c/Program Files/Perl64/bin:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0:/cygdrive/c/Program Files (x86)/HID Global/ActivClient:/cygdrive/c/Program Files/HID Global/ActivClient:/cygdrive/c/WINDOWS/System32/OpenSSH:/cygdrive/c/Program Files/TortoiseSVN/bin:/cygdrive/c/Program Files/TortoiseGit/bin:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/Client SDK/ODBC/130/Tools/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/Tools/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/DTS/Binn:/cygdrive/c/Program Files (x86)/Microsoft SQL Server/140/Tools/Binn/ManagementStudio:/cygdrive/c/Program Files (x86)/WebEx/Productivity Tools:/cygdrive/c/Program Files (x86)/Windows Kits/10/Windows Performance Toolkit:/cygdrive/c/Program Files/Git/cmd:/cygdrive/c/Users/lavr/AppData/Local/Microsoft/WindowsApps://SNOWMAN/Win-coremake/scripts/bin:/cygdrive/c/Apps/User_Installs/SYSINTERNALS
  184   30514 [main] getfacl 3412 win32env_to_cygenv: 0x600029670: PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
  183   30697 [main] getfacl 3412 win32env_to_cygenv: 0x6000296C0: PRINTER=\\print\np3a
  190   30887 [main] getfacl 3412 win32env_to_cygenv: 0x6000296E0: PROCESSOR_ARCHITECTURE=AMD64
  208   31095 [main] getfacl 3412 win32env_to_cygenv: 0x600029710: PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 9, GenuineIntel
  180   31275 [main] getfacl 3412 win32env_to_cygenv: 0x600029770: PROCESSOR_LEVEL=6
  175   31450 [main] getfacl 3412 win32env_to_cygenv: 0x600029790: PROCESSOR_REVISION=9e09
  174   31624 [main] getfacl 3412 win32env_to_cygenv: 0x6000297B0: PROFILEREAD=true
  178   31802 [main] getfacl 3412 win32env_to_cygenv: 0x6000297D0: PROGRAMFILES=C:\Program Files
  172   31974 [main] getfacl 3412 win32env_to_cygenv: 0x600029800: PS1=\[\e]0;\w\a\]\n\[\e[32m\]\u@\h \[\e[33m\]\w\[\e[0m\]\n\$
  211   32185 [main] getfacl 3412 win32env_to_cygenv: 0x600029850: PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
  184   32369 [main] getfacl 3412 win32env_to_cygenv: 0x6000298D0: PUBLIC=C:\Users\Public
  192   32561 [main] getfacl 3412 win32env_to_cygenv: 0x6000298F0: PWD=/mnt
  174   32735 [main] getfacl 3412 win32env_to_cygenv: 0x600029910: ProgramData=C:\ProgramData
  174   32909 [main] getfacl 3412 win32env_to_cygenv: 0x600029940: ProgramFiles(x86)=C:\Program Files (x86)
  188   33097 [main] getfacl 3412 win32env_to_cygenv: 0x600029980: ProgramW6432=C:\Program Files
  174   33271 [main] getfacl 3412 win32env_to_cygenv: 0x6000299B0: RANDFILE=C:\Program Files (x86)\NTP\etc\.rnd
  172   33443 [main] getfacl 3412 win32env_to_cygenv: 0x6000299F0: SESSIONNAME=Console
  173   33616 [main] getfacl 3412 win32env_to_cygenv: 0x600029A10: SHELL=/bin/bash
  196   33812 [main] getfacl 3412 win32env_to_cygenv: 0x600029A30: SHLVL=1
  223   34035 [main] getfacl 3412 win32env_to_cygenv: 0x600029A50: SYSTEMDRIVE=C:
  173   34208 [main] getfacl 3412 win32env_to_cygenv: 0x600029A70: SYSTEMROOT=C:\WINDOWS
  125   34333 [main] getfacl 3412 getwinenv: can't set native for TEMP= since no environ yet
  107   34440 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Cygwin64\tmp, 0x10000000, no-add-slash)
   99   34539 [main] getfacl 3412 normalize_win32_path: C:\Cygwin64\tmp = normalize_win32_path (C:\Cygwin64\tmp)
   27   34566 [main] getfacl 3412 mount_info::conv_to_posix_path: /tmp = conv_to_posix_path (C:\Cygwin64\tmp)
  279   34845 [main] getfacl 3412 win_env::add_cache: posix /tmp
   19   34864 [main] getfacl 3412 win_env::add_cache: native TEMP=C:\Cygwin64\tmp
   21   34885 [main] getfacl 3412 posify_maybe: env var converted to TEMP=/tmp
   60   34945 [main] getfacl 3412 win32env_to_cygenv: 0x600029AF0: TEMP=/tmp
   39   34984 [main] getfacl 3412 win32env_to_cygenv: 0x600029A90: TERM=xterm
  214   35198 [main] getfacl 3412 getwinenv: can't set native for TMP= since no environ yet
   26   35224 [main] getfacl 3412 mount_info::conv_to_posix_path: conv_to_posix_path (C:\Cygwin64\tmp, 0x10000000, no-add-slash)
   93   35317 [main] getfacl 3412 normalize_win32_path: C:\Cygwin64\tmp = normalize_win32_path (C:\Cygwin64\tmp)
   98   35415 [main] getfacl 3412 mount_info::conv_to_posix_path: /tmp = conv_to_posix_path (C:\Cygwin64\tmp)
  290   35705 [main] getfacl 3412 win_env::add_cache: posix /tmp
   88   35793 [main] getfacl 3412 win_env::add_cache: native TMP=C:\Cygwin64\tmp
   21   35814 [main] getfacl 3412 posify_maybe: env var converted to TMP=/tmp
   68   35882 [main] getfacl 3412 win32env_to_cygenv: 0x600029B70: TMP=/tmp
   46   35928 [main] getfacl 3412 win32env_to_cygenv: 0x600029B10: TZ=America/New_York
   43   35971 [main] getfacl 3412 win32env_to_cygenv: 0x600029B90: UATDATA=C:\WINDOWS\CCM\UATData\D9F8C395-CAB8-491d-B8AC-179A1FE1BE77
  121   36092 [main] getfacl 3412 win32env_to_cygenv: 0x600029BE0: USER=lavr
  286   36378 [main] getfacl 3412 win32env_to_cygenv: 0x600029C00: USERDNSDOMAIN=NCBI.NLM.NIH.GOV
  175   36553 [main] getfacl 3412 win32env_to_cygenv: 0x600029C30: USERDOMAIN=NCBI_NT
  217   36770 [main] getfacl 3412 win32env_to_cygenv: 0x600029C50: USERDOMAIN_ROAMINGPROFILE=NCBI_NT
  364   37134 [main] getfacl 3412 win32env_to_cygenv: 0x600029C80: USERNAME=lavr
  244   37378 [main] getfacl 3412 win32env_to_cygenv: 0x600029CA0: USERPROFILE=C:\Users\lavr
  182   37560 [main] getfacl 3412 win32env_to_cygenv: 0x600029CD0: VDB_CONFIG=//snowman/trace_software/vdb/config://snowman/trace_software/vdb/win/config
   46   37606 [main] getfacl 3412 win32env_to_cygenv: 0x60003B500: VS140COMNTOOLS=C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\Tools\
   59   37665 [main] getfacl 3412 win32env_to_cygenv: 0x60003B560: VS2017INSTALLDIR=C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional
  118   37783 [main] getfacl 3412 win32env_to_cygenv: 0x60003B5C0: VTUNE_AMPLIFIER_2018_DIR=C:\Program Files (x86)\IntelSWTools\VTune Amplifier 2018\
  307   38090 [main] getfacl 3412 win32env_to_cygenv: 0x60003B620: VTUNE_AMPLIFIER_2019_DIR=C:\Program Files (x86)\IntelSWTools\VTune Amplifier 2019\
   51   38141 [main] getfacl 3412 win32env_to_cygenv: 0x600029D30: WINDIR=C:\WINDOWS
  114   38255 [main] getfacl 3412 win32env_to_cygenv: 0x600029D50: _=/usr/bin/strace
  236   38491 [main] getfacl 3412 pinfo_init: Set nice to 0
   24   38515 [main] getfacl 3412 pinfo_init: pid 3412, pgid 3412, process_state 0x41
   67   38582 [main] getfacl 3412 App version:  2011.2, api: 0.329
   24   38606 [main] getfacl 3412 DLL version:  2011.2, api: 0.329
   44   38650 [main] getfacl 3412 DLL build:    2018-11-08 14:34
  229   38879 [main] getfacl 3412 dtable::extend: size 32, fds 0x180323E48
  218   39097 [main] getfacl 3412 __get_lcid_from_locale: LCID=0x0409
  724   39821 [main] getfacl 3412 transport_layer_pipes::connect: Try to connect to named pipe: \\.\pipe\cygwin-e022582115c10879-lpc
  448   40269 [main] getfacl 3412 transport_layer_pipes::connect: Try to connect to named pipe: \\.\pipe\cygwin-e022582115c10879-lpc
  299   40568 [main] getfacl 3412 transport_layer_pipes::connect: Try to connect to named pipe: \\.\pipe\cygwin-e022582115c10879-lpc
  402   40970 [main] getfacl 3412 cygheap_user::ontherange: what 2, pw 0x180324068
   29   40999 [main] getfacl 3412 cygheap_user::ontherange: HOME is already in the environment /home/lavr
  151   41150 [main] getfacl 3412 build_argv: argv[0] = 'getfacl'
  279   41429 [main] getfacl 3412 build_argv: argv[1] = '/cygdrive/z'
   24   41453 [main] getfacl 3412 build_argv: argc 2
  174   41627 [main] getfacl 3412 build_fh_pc: created an archetype (0x1803250C8) for /dev/pty1(136/1)
   23   41650 [main] getfacl 3412 build_fh_pc: fh 0x180324D58, dev 00880001
  194   41844 [main] getfacl 3412 fhandler_pipe::create: name \\.\pipe\cygwin-e022582115c10879-pty1-from-master, size 131072, mode PIPE_TYPE_MESSAGE
  141   41985 [main] getfacl 3412 fhandler_pipe::create: pipe busy
  114   42099 [main] getfacl 3412 tty::exists: exists 1
  163   42262 [main] getfacl 3412 set_posix_access: ACL-Size: 124
   44   42306 [main] getfacl 3412 set_posix_access: Created SD-Size: 200
   24   42330 [main] getfacl 3412 fhandler_pty_slave::open: (393): pty output_mutex (0x118): waiting -1 ms
   27   42357 [main] getfacl 3412 fhandler_pty_slave::open: (393): pty output_mutex: acquired
   29   42386 [main] getfacl 3412 tty::create_inuse: cygtty.slave_alive.1 0x124
   22   42408 [main] getfacl 3412 fhandler_pty_slave::open: (396): pty output_mutex(0x118) released
  214   42622 [main] getfacl 3412 open_shared: name cygpid.18084, n 18084, shared 0x20000 (wanted 0x0), h 0x128, *m 6
   89   42711 [main] getfacl 3412 fhandler_pty_slave::open: dup handles directly since I'm the owner
   40   42751 [main] getfacl 3412 fhandler_pty_slave::open: duplicated from_master 0x3E4->0x128 from pty_owner
   24   42775 [main] getfacl 3412 fhandler_pty_slave::open: duplicated to_master 0x3F0->0x10C from pty_owner
   22   42797 [main] getfacl 3412 fhandler_pty_slave::open: duplicated to_master_cyg 0x3F8->0x12C from pty_owner
   46   42843 [main] getfacl 3412 fhandler_console::need_invisible: invisible_console 0
   30   42873 [main] getfacl 3412 fhandler_base::open_with_arch: line 458:  /dev/pty1<0x1803250C8> usecount + 1 = 1
   33   42906 [main] getfacl 3412 fhandler_base::set_flags: flags 0x10002, supplied_bin 0x0
  167   43073 [main] getfacl 3412 fhandler_base::set_flags: O_TEXT/O_BINARY set in flags 0x10000
  104   43177 [main] getfacl 3412 fhandler_base::set_flags: filemode set to binary
  107   43284 [main] getfacl 3412 _pinfo::set_ctty: old no ctty, ctty device number 0xFFFFFFFF, tc.ntty device number 0x880001 flags & O_NOCTTY 0x0
  101   43385 [main] getfacl 3412 _pinfo::set_ctty: cygheap->ctty 0x0, archetype 0x1803250C8
  106   43491 [main] getfacl 3412 _pinfo::set_ctty: ctty was NULL
  111   43602 [main] getfacl 3412 _pinfo::set_ctty: line 497:  /dev/pty1<0x1803250C8> usecount + 1 = 2
  105   43707 [main] getfacl 3412 _pinfo::set_ctty: /dev/pty1 ctty, usecount 2
  100   43807 [main] getfacl 3412 _pinfo::set_ctty: attaching ctty /dev/pty1 sid 3412, pid 3412, pgid 3412, tty->pgid 1968, tty->sid 8588
  137   43944 [main] getfacl 3412 _pinfo::set_ctty: cygheap->ctty now 0x1803250C8, archetype 0x1803250C8
  141   44085 [main] getfacl 3412 fhandler_pty_slave::open_setup: /dev/pty1 opened, usecount 2
  122   44207 [main] getfacl 3412 fhandler_base::set_flags: flags 0x10002, supplied_bin 0x0
  101   44308 [main] getfacl 3412 fhandler_base::set_flags: O_TEXT/O_BINARY set in flags 0x10000
   86   44394 [main] getfacl 3412 fhandler_base::set_flags: filemode set to binary
   88   44482 [main] getfacl 3412 _pinfo::set_ctty: old ctty /dev/pty1, ctty device number 0x880001, tc.ntty device number 0x880001 flags & O_NOCTTY 0x0
  104   44586 [main] getfacl 3412 _pinfo::set_ctty: attaching ctty /dev/pty1 sid 8588, pid 3412, pgid 1968, tty->pgid 1968, tty->sid 8588
  102   44688 [main] getfacl 3412 _pinfo::set_ctty: cygheap->ctty now 0x1803250C8, archetype 0x1803250C8
  104   44792 [main] getfacl 3412 fhandler_pty_slave::open_setup: /dev/pty1 opened, usecount 2
  256   45048 [main] getfacl 3412 build_fh_pc: found an archetype for (null)(136/1) io_handle 0x128
   23   45071 [main] getfacl 3412 build_fh_pc: fh 0x1803254A8, dev 00880001
   28   45099 [main] getfacl 3412 fhandler_base::open_with_arch: line 478:  /dev/pty1<0x1803250C8> usecount + 1 = 3
   22   45121 [main] getfacl 3412 fhandler_base::set_flags: flags 0x10002, supplied_bin 0x0
   23   45144 [main] getfacl 3412 fhandler_base::set_flags: O_TEXT/O_BINARY set in flags 0x10000
   22   45166 [main] getfacl 3412 fhandler_base::set_flags: filemode set to binary
   23   45189 [main] getfacl 3412 _pinfo::set_ctty: old ctty /dev/pty1, ctty device number 0x880001, tc.ntty device number 0x880001 flags & O_NOCTTY 0x0
   25   45214 [main] getfacl 3412 _pinfo::set_ctty: attaching ctty /dev/pty1 sid 8588, pid 3412, pgid 1968, tty->pgid 1968, tty->sid 8588
   24   45238 [main] getfacl 3412 _pinfo::set_ctty: cygheap->ctty now 0x1803250C8, archetype 0x1803250C8
   23   45261 [main] getfacl 3412 fhandler_pty_slave::open_setup: /dev/pty1 opened, usecount 3
   25   45286 [main] getfacl 3412 fhandler_base::set_flags: flags 0x10002, supplied_bin 0x0
   20   45306 [main] getfacl 3412 fhandler_base::set_flags: O_TEXT/O_BINARY set in flags 0x10000
   30   45336 [main] getfacl 3412 fhandler_base::set_flags: filemode set to binary
   23   45359 [main] getfacl 3412 _pinfo::set_ctty: old ctty /dev/pty1, ctty device number 0x880001, tc.ntty device number 0x880001 flags & O_NOCTTY 0x0
   24   45383 [main] getfacl 3412 _pinfo::set_ctty: attaching ctty /dev/pty1 sid 8588, pid 3412, pgid 1968, tty->pgid 1968, tty->sid 8588
   24   45407 [main] getfacl 3412 _pinfo::set_ctty: cygheap->ctty now 0x1803250C8, archetype 0x1803250C8
   22   45429 [main] getfacl 3412 fhandler_pty_slave::open_setup: /dev/pty1 opened, usecount 3
   72   45501 [main] getfacl 3412 build_fh_pc: found an archetype for (null)(136/1) io_handle 0x128
   22   45523 [main] getfacl 3412 build_fh_pc: fh 0x180325818, dev 00880001
   25   45548 [main] getfacl 3412 fhandler_base::open_with_arch: line 478:  /dev/pty1<0x1803250C8> usecount + 1 = 4
   23   45571 [main] getfacl 3412 fhandler_base::set_flags: flags 0x10002, supplied_bin 0x0
   22   45593 [main] getfacl 3412 fhandler_base::set_flags: O_TEXT/O_BINARY set in flags 0x10000
   22   45615 [main] getfacl 3412 fhandler_base::set_flags: filemode set to binary
   22   45637 [main] getfacl 3412 _pinfo::set_ctty: old ctty /dev/pty1, ctty device number 0x880001, tc.ntty device number 0x880001 flags & O_NOCTTY 0x0
   24   45661 [main] getfacl 3412 _pinfo::set_ctty: attaching ctty /dev/pty1 sid 8588, pid 3412, pgid 1968, tty->pgid 1968, tty->sid 8588
   22   45683 [main] getfacl 3412 _pinfo::set_ctty: cygheap->ctty now 0x1803250C8, archetype 0x1803250C8
   22   45705 [main] getfacl 3412 fhandler_pty_slave::open_setup: /dev/pty1 opened, usecount 4
   24   45729 [main] getfacl 3412 fhandler_base::set_flags: flags 0x10002, supplied_bin 0x0
   22   45751 [main] getfacl 3412 fhandler_base::set_flags: O_TEXT/O_BINARY set in flags 0x10000
   22   45773 [main] getfacl 3412 fhandler_base::set_flags: filemode set to binary
   23   45796 [main] getfacl 3412 _pinfo::set_ctty: old ctty /dev/pty1, ctty device number 0x880001, tc.ntty device number 0x880001 flags & O_NOCTTY 0x0
   24   45820 [main] getfacl 3412 _pinfo::set_ctty: attaching ctty /dev/pty1 sid 8588, pid 3412, pgid 1968, tty->pgid 1968, tty->sid 8588
   23   45843 [main] getfacl 3412 _pinfo::set_ctty: cygheap->ctty now 0x1803250C8, archetype 0x1803250C8
   22   45865 [main] getfacl 3412 fhandler_pty_slave::open_setup: /dev/pty1 opened, usecount 4
   57   45922 [main] getfacl 3412 __set_errno: void dll_crt0_1(void*):979 setting errno 0
  450   46372 [main] getfacl 3412 isatty: 1 = isatty(1)
   31   46403 [main] getfacl 3412 stat64: entering
   25   46428 [main] getfacl 3412 normalize_posix_path: src /cygdrive/z
   22   46450 [main] getfacl 3412 normalize_posix_path: /cygdrive/z = normalize_posix_path (/cygdrive/z)
   21   46471 [main] getfacl 3412 mount_info::conv_to_win32_path: conv_to_win32_path (/cygdrive/z)
   26   46497 [main] getfacl 3412 mount_info::cygdrive_win32_path: src '/cygdrive/z', dst 'Z:\'
   24   46521 [main] getfacl 3412 set_flags: flags: binary (0x2)
   22   46543 [main] getfacl 3412 mount_info::conv_to_win32_path: src_path /cygdrive/z, dst Z:\, flags 0x4022, rc 0
  937   47480 [main] getfacl 3412 symlink_info::check: 0xC000004F = NtCreateFile (\??\Z:\)
 1115   48595 [main] getfacl 3412 symlink_info::check: 0x0 = NtOpenFile (no-EAs \??\Z:\)
 1385   49980 [main] getfacl 3412 symlink_info::check: not a symlink
   24   50004 [main] getfacl 3412 symlink_info::check: 0 = symlink.check(Z:\, 0xFFFFB8D0) (0x404022)
   25   50029 [main] getfacl 3412 path_conv::check: this->path(Z:\), has_acls(1)
   29   50058 [main] getfacl 3412 build_fh_pc: fh 0x180325B88, dev 000000C3
   28   50086 [main] getfacl 3412 stat_worker: (\??\Z:\, 0xFFFFCB30, 0x180325B88), file_attributes 16
--- Process 3412 thread 19720 created
 1209   51295 [ldap_init] getfacl 3412 cygthread::stub: thread 'ldap_init', id 0x4D08, stack_ptr 0xFCCCD0
--- Process 3412 loaded C:\Windows\System32\Wldap32.dll at 00007ffcde930000
--- Process 3412 loaded C:\Windows\System32\ucrtbase.dll at 00007ffcdbae0000
--- Process 3412 loaded C:\Windows\System32\ws2_32.dll at 00007ffcde510000
--- Process 3412 loaded C:\Windows\System32\mswsock.dll at 00007ffcda600000
--- Process 3412 loaded C:\Windows\System32\sspicli.dll at 00007ffcdac80000
--- Process 3412 loaded C:\Windows\System32\logoncli.dll at 00007ffcd56b0000
--- Process 3412 loaded C:\Windows\System32\netutils.dll at 00007ffcda490000
--- Process 3412 thread 1964 created
--- Process 3412 loaded C:\Windows\System32\dsparse.dll at 00007ffcd0de0000
--- Process 3412 loaded C:\Windows\System32\kerberos.dll at 00007ffcda6c0000
--- Process 3412 loaded C:\Windows\System32\msasn1.dll at 00007ffcdae20000
--- Process 3412 loaded C:\Windows\System32\cryptdll.dll at 00007ffcda670000
--- Process 3412 loaded C:\Windows\System32\bcrypt.dll at 00007ffcda8e0000
29984   81279 [main] getfacl 3412 transport_layer_pipes::connect: Try to connect to named pipe: \\.\pipe\cygwin-e022582115c10879-lpc
  832   82111 [main] getfacl 3412 fhandler_base::fstat_helper: 0 = fstat (\??\Z:\, 0xFFFFCB30) st_size=0, st_mode=040755, st_ino=4718627st_atim=5D53FCAD.3A2C2D44 st_ctim=5D52AB1E.30674D0C st_mtim=5D52AB1E.30674D0C st_birthtim=5D52AB1E.30674D0C
   33   82144 [main] getfacl 3412 stat_worker: 0 = (\??\Z:\,0xFFFFCB30)
 1240   83384 [main] getfacl 3412 normalize_posix_path: src /cygdrive/z
   24   83408 [main] getfacl 3412 normalize_posix_path: /cygdrive/z = normalize_posix_path (/cygdrive/z)
   90   83498 [main] getfacl 3412 mount_info::conv_to_win32_path: conv_to_win32_path (/cygdrive/z)
   26   83524 [main] getfacl 3412 mount_info::cygdrive_win32_path: src '/cygdrive/z', dst 'Z:\'
   25   83549 [main] getfacl 3412 set_flags: flags: binary (0x2)
   24   83573 [main] getfacl 3412 mount_info::conv_to_win32_path: src_path /cygdrive/z, dst Z:\, flags 0x4022, rc 0
 1141   84714 [main] getfacl 3412 symlink_info::check: 0xC000004F = NtCreateFile (\??\Z:\)
 1428   86142 [main] getfacl 3412 symlink_info::check: 0x0 = NtOpenFile (no-EAs \??\Z:\)
  645   86787 [main] getfacl 3412 symlink_info::check: not a symlink
  713   87500 [main] getfacl 3412 symlink_info::check: 0 = symlink.check(Z:\, 0xFFFFB840) (0x4022)
   25   87525 [main] getfacl 3412 path_conv::check: this->path(Z:\), has_acls(1)
   31   87556 [main] getfacl 3412 build_fh_pc: fh 0x180325B88, dev 000000C3
   28   87584 [main] getfacl 3412 fhandler_base::open: (\??\Z:\, 0x110000)
 1139   88723 [main] getfacl 3412 fhandler_base::set_flags: flags 0x110000, supplied_bin 0x10000
   23   88746 [main] getfacl 3412 fhandler_base::set_flags: O_TEXT/O_BINARY set in flags 0x10000
   22   88768 [main] getfacl 3412 fhandler_base::set_flags: filemode set to binary
   21   88789 [main] getfacl 3412 fhandler_base::open: 0x0 = NtCreateFile (0x1AC, 0x20000, \??\Z:\, io, NULL, 0x0, 0x7, 0x1, 0x4000, NULL, 0)
   24   88813 [main] getfacl 3412 fhandler_base::open: 1 = fhandler_base::open(\??\Z:\, 0x110000)
   22   88835 [main] getfacl 3412 fhandler_base::open_fs: 1 = fhandler_disk_file::open(\??\Z:\, 0x10000)
  664   89499 [main] getfacl 3412 getacl: 3 = getacl(\??\Z:\)
   84   89583 [main] getfacl 3412 fhandler_base::close: closing '/cygdrive/z' handle 0x1AC
  616   90199 [main] getfacl 3412 normalize_posix_path: src /cygdrive/z
   23   90222 [main] getfacl 3412 normalize_posix_path: /cygdrive/z = normalize_posix_path (/cygdrive/z)
   23   90245 [main] getfacl 3412 mount_info::conv_to_win32_path: conv_to_win32_path (/cygdrive/z)
   23   90268 [main] getfacl 3412 mount_info::cygdrive_win32_path: src '/cygdrive/z', dst 'Z:\'
   20   90288 [main] getfacl 3412 set_flags: flags: binary (0x2)
   21   90309 [main] getfacl 3412 mount_info::conv_to_win32_path: src_path /cygdrive/z, dst Z:\, flags 0x4022, rc 0
  633   90942 [main] getfacl 3412 symlink_info::check: 0xC000004F = NtCreateFile (\??\Z:\)
  856   91798 [main] getfacl 3412 symlink_info::check: 0x0 = NtOpenFile (no-EAs \??\Z:\)
  478   92276 [main] getfacl 3412 symlink_info::check: not a symlink
  544   92820 [main] getfacl 3412 symlink_info::check: 0 = symlink.check(Z:\, 0xFFFFB840) (0x4022)
   29   92849 [main] getfacl 3412 path_conv::check: this->path(Z:\), has_acls(1)
   30   92879 [main] getfacl 3412 build_fh_pc: fh 0x180325B88, dev 000000C3
   25   92904 [main] getfacl 3412 fhandler_base::open: (\??\Z:\, 0x110000)
  966   93870 [main] getfacl 3412 fhandler_base::set_flags: flags 0x110000, supplied_bin 0x10000
   25   93895 [main] getfacl 3412 fhandler_base::set_flags: O_TEXT/O_BINARY set in flags 0x10000
   21   93916 [main] getfacl 3412 fhandler_base::set_flags: filemode set to binary
   22   93938 [main] getfacl 3412 fhandler_base::open: 0x0 = NtCreateFile (0x1AC, 0x20000, \??\Z:\, io, NULL, 0x0, 0x7, 0x1, 0x4000, NULL, 0)
   23   93961 [main] getfacl 3412 fhandler_base::open: 1 = fhandler_base::open(\??\Z:\, 0x110000)
   22   93983 [main] getfacl 3412 fhandler_base::open_fs: 1 = fhandler_disk_file::open(\??\Z:\, 0x10000)
  552   94535 [main] getfacl 3412 getacl: 3 = getacl(\??\Z:\)
   79   94614 [main] getfacl 3412 fhandler_base::close: closing '/cygdrive/z' handle 0x1AC
  669   95283 [main] getfacl 3412 time: 1565789069 = time(0x0)
   65   95348 [main] getfacl 3412 transport_layer_pipes::connect: Try to connect to named pipe: \\.\pipe\cygwin-e022582115c10879-lpc
  123   95471 [main] getfacl 3412 stat64: entering
   22   95493 [main] getfacl 3412 normalize_posix_path: src /dev
   21   95514 [main] getfacl 3412 normalize_posix_path: /dev = normalize_posix_path (/dev)
   23   95537 [main] getfacl 3412 mount_info::conv_to_win32_path: conv_to_win32_path (/dev)
   22   95559 [main] getfacl 3412 set_flags: flags: binary (0x2)
   21   95580 [main] getfacl 3412 mount_info::conv_to_win32_path: src_path /dev, dst C:\Cygwin64\dev, flags 0x3000A, rc 0
  121   95701 [main] getfacl 3412 symlink_info::check: 0x0 = NtCreateFile (\??\C:\Cygwin64\dev)
   37   95738 [main] getfacl 3412 symlink_info::check: not a symlink
   20   95758 [main] getfacl 3412 symlink_info::check: 0 = symlink.check(C:\Cygwin64\dev, 0xFFFFB2A0) (0x43000A)
   32   95790 [main] getfacl 3412 build_fh_pc: fh 0x180325B88, dev 000000C1
   20   95810 [main] getfacl 3412 stat_worker: (\??\C:\Cygwin64\dev, 0x1802FBAC0, 0x180325B88), file_attributes 16
   74   95884 [main] getfacl 3412 transport_layer_pipes::connect: Try to connect to named pipe: \\.\pipe\cygwin-e022582115c10879-lpc
  102   95986 [main] getfacl 3412 fhandler_base::fstat_helper: 0 = fstat (\??\C:\Cygwin64\dev, 0x1802FBAC0) st_size=0, st_mode=040775, st_ino=281474978099101st_atim=597252B5.21621FD0 st_ctim=5BDB559B.1735340C st_mtim=597252B5.21621FD0 st_birthtim=597251AB.27521594
   25   96011 [main] getfacl 3412 stat_worker: 0 = (\??\C:\Cygwin64\dev,0x1802FBAC0)
   49   96060 [main] getfacl 3412 fstat64: 0 = fstat(1, 0xFFFFC5E0)
  169   96229 [main] getfacl 3412 isatty: 1 = isatty(1)
# file: /cygdrive/z
   98   96327 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0x60003B810, 20)
   21   96348 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
   22   96370 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   22   96392 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
   28   96420 [main] getfacl 3412 write: 20 = write(1, 0x60003B810, 20)
  218   96638 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0x60003B810, 14)
  113   96751 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
   28   96779 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   31   96810 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
# owner: lavr
   39   96849 [main] getfacl 3412 write: 14 = write(1, 0x60003B810, 14)
  254   97103 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0x60003B810, 17)
   23   97126 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
   26   97152 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   25   97177 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
# group: cppcore
   26   97203 [main] getfacl 3412 write: 17 = write(1, 0x60003B810, 17)
  244   97447 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0x60003B810, 10)
   28   97475 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
   24   97499 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   25   97524 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
user::rwx
   23   97547 [main] getfacl 3412 write: 10 = write(1, 0x60003B810, 10)
  112   97659 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0x60003B810, 11)
   23   97682 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
   31   97713 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   24   97737 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
group::r-x
   30   97767 [main] getfacl 3412 write: 11 = write(1, 0x60003B810, 11)
  127   97894 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0x60003B810, 11)
  176   98070 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
   24   98094 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   34   98128 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
other::r-x
  133   98261 [main] getfacl 3412 write: 11 = write(1, 0x60003B810, 11)
  249   98510 [main] getfacl 3412 __set_errno: char* __acltotext(aclent_t*, int, const char*, char, int):1644 setting errno 22
  335   98845 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0xFFFFCC60, 7)
   25   98870 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
  142   99012 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   29   99041 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
getfacl   28   99069 [main] getfacl 3412 write: 7 = write(2, 0xFFFFCC60, 7)
   49   99118 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0x10040372D, 2)
   25   99143 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
:    25   99168 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
/cygdrive/z   22   99190 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
   23   99213 [main] getfacl 3412 write: 2 = write(2, 0x10040372D, 2)
   37   99250 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0xFFFFCC68, 11)
   20   99270 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
   21   99291 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   29   99320 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
   25   99345 [main] getfacl 3412 write: 11 = write(2, 0xFFFFCC68, 11)
   50   99395 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0x100403731, 2)
   22   99417 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
   23   99440 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   24   99464 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
:    26   99490 [main] getfacl 3412 write: 2 = write(2, 0x100403731, 2)
  187   99677 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0x18023F080, 16)
   28   99705 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
   29   99734 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   25   99759 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released
Invalid argument   23   99782 [main] getfacl 3412 write: 16 = write(2, 0x18023F080, 16)
   47   99829 [main] getfacl 3412 fhandler_pty_slave::write: pty1, write(0x100403735, 2)
   25   99854 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex (0x118): waiting -1 ms
   25   99879 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1902): pty output_mutex: acquired
   24   99903 [main] getfacl 3412 fhandler_pty_common::process_opost_output: (1941): pty output_mutex(0x118) released


   26   99929 [main] getfacl 3412 write: 2 = write(2, 0x100403735, 2)
  152  100081 [main] getfacl 3412 do_exit: do_exit (512), exit_state 1
   21  100102 [main] getfacl 3412 void: 0x0 = signal (20, 0x1)
   22  100124 [main] getfacl 3412 void: 0x0 = signal (1, 0x1)
   73  100197 [main] getfacl 3412 void: 0x0 = signal (2, 0x1)
   23  100220 [main] getfacl 3412 void: 0x0 = signal (3, 0x1)
   29  100249 [main] getfacl 3412 fhandler_base::close_with_arch: line 1132:  /dev/pty1<0x1803250C8> usecount + -1 = 3
   31  100280 [main] getfacl 3412 fhandler_base::close_with_arch: not closing archetype
   25  100305 [main] getfacl 3412 fhandler_base::close_with_arch: line 1132:  /dev/pty1<0x1803250C8> usecount + -1 = 2
   34  100339 [main] getfacl 3412 fhandler_base::close_with_arch: not closing archetype
   28  100367 [main] getfacl 3412 fhandler_base::close_with_arch: line 1132:  /dev/pty1<0x1803250C8> usecount + -1 = 1
   22  100389 [main] getfacl 3412 fhandler_base::close_with_arch: not closing archetype
   22  100411 [main] getfacl 3412 init_cygheap::close_ctty: closing cygheap->ctty 0x1803250C8
   23  100434 [main] getfacl 3412 fhandler_base::close_with_arch: closing passed in archetype 0x0, usecount 0
  185  100619 [main] getfacl 3412 fhandler_pty_slave::cleanup: /dev/pty1 closed, usecount 0
   23  100642 [main] getfacl 3412 fhandler_pty_slave::close: closing last open /dev/pty1 handle
   48  100690 [main] getfacl 3412 fhandler_console::free_console: freed console, res 1
   24  100714 [main] getfacl 3412 fhandler_pty_common::close: pty1 <0x128,0x10C> closing
   29  100743 [main] getfacl 3412 dtable::delete_archetype: deleting element 0 for /dev/pty1(136/1)
   26  100769 [main] getfacl 3412 getpid: 3412 = getpid()
   75  100844 [main] getfacl 3412 proc_terminate: nprocs 0
   24  100868 [main] getfacl 3412 proc_terminate: leaving
   32  100900 [main] getfacl 3412 pinfo::exit: Calling ExitProcess n 0x200, exitcode 0x2
--- Process 3412 thread 1964 exited with status 0x2
--- Process 3412 thread 19720 exited with status 0x2
--- Process 3412 thread 2912 exited with status 0x2
--- Process 3412 thread 15020 exited with status 0x2
--- Process 3412 thread 2120 exited with status 0x2
--- Process 3412 exited with status 0x2


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Ken Brown]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 1151 bytes --]

On 8/14/2019 12:23 AM, Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin wrote:
>> Have you checked the default ACL on the directory containing the file?
> 
> No, and there's nothing special there now that I checked.  I can change the "Read & Execute" for the .exe file from the Windows file properties
> without having to deal with anything special or additional (like inherited permissions), so I don't think the containing directory has anything
> to do with it.

I suspect the containing directory has a lot to do with it.  You shouldn't get 
an "Invalid argument" error below.

> $ getfacl /cygdrive/z
> # file: /cygdrive/z
> # owner: lavr
> # group: cppcore
> user::rwx
> group::r-x
> other::r-x
> getfacl: /cygdrive/z: Invalid argument

Running getfacl under strace might provide a clue as to what the problem is. 
You could also try running /usr/lib/csih/getVolInfo.exe on that directory.

Ken
\x03B‹KCB”\x1c›Ø›\x19[H\x1c™\^[ܝ\x1cΈ\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÜ\x1c›Ø›\x19[\Ëš\x1d^[[\x03B‘TNˆ\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÙ˜\KÃB‘^[ØÝ[Y[\x18]\x1a[ÛŽˆ\b\b\b\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÙ^[ØÜËš\x1d^[[\x03B•[œÝXœØÜšX™H\x1a[™›Îˆ\b\b\b\b\b\x1a\x1d\x1d\x1c\x0e‹ËØÞYÝÚ[‹˜ÛÛKÛ[\vÈÝ[œÝXœØÜšX™K\Ú[\^[\x19CBƒB

Re: SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

> Have you checked the default ACL on the directory containing the file?

No, and there's nothing special there now that I checked.  I can change the "Read & Execute" for the .exe file from the Windows file properties
without having to deal with anything special or additional (like inherited permissions), so I don't think the containing directory has anything
to do with it.

$ getfacl /cygdrive/z
# file: /cygdrive/z
# owner: lavr
# group: cppcore
user::rwx
group::r-x
other::r-x
getfacl: /cygdrive/z: Invalid argument

$ getfacl.exe /mnt
# file: /mnt
# owner: lavr
# group: cppcore
user::rwx
group::r-x
other::r-x
getfacl: /mnt: Invalid argument

(where /mnt is the same network share mounted with the "exec" option, see previous posts;  not sure what EINVAL means there in the output,
it does not appear for files -- seems to be only when directories are inquired)


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

> What is your cygdrive mount options? Because default is, apparently, "binary,posix=0,user".

I have no idea where they are kept at, and how to change them.

Also, I couldn't make this work, anyways; yet I thought it should have worked:

> > $ mount -o exec //coredev2/home/lavr /mnt
> > $ mount
> > //coredev2/home/lavr on /mnt type smbfs (binary,exec,user)
> > ...
> > $ cd /mnt
> > $ pwd
> > /mnt
> > $ gcc a.c
> > $ ls -l a.exe
> > -rw-rw-r--+ 1 lavr cppcore 157753 Aug 13 08:20 a.exe
> > $ ./a.exe
> > -bash: ./a.exe: Permission denied


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Andrey Repin]

Greetings, Lavrentiev, Anton (NIH/NLM/NCBI) [C]!

>> You need the "exec" mount option.

> I thought so too, but how do I give that option to a drive that is
> "noumount".  I cannot dis- or re-mount it AFAICT.

> $ mount
> ...
> Z: on /cygdrive/z type smbfs (binary,posix=0,user,noumount,auto)
> $ umount /cygdrive/z
> umount: /cygdrive/z: Invalid argument

/cygdrive is automount.
What is your cygdrive mount options? Because default is, apparently, "binary,posix=0,user".

> Also, I tried to mount the same path elsewhere, and with the "exec"
> options, and that wouldn't help, either:

> $ mount -o exec //coredev2/home/lavr /mnt
> $ mount
> //coredev2/home/lavr on /mnt type smbfs (binary,exec,user)
> ...
> $ cd /mnt
> $ pwd
> /mnt
> $ gcc a.c
> $ ls -l a.exe
> -rw-rw-r--+ 1 lavr cppcore 157753 Aug 13 08:20 a.exe
> $ ./a.exe
> -bash: ./a.exe: Permission denied
> (and again, if a.exe is given the "x" perm in the Linux fs, the command above works)

> I think that something's wrong with how (or if) Cygwin translates the "x"
> unix execution permission bit to an ACL that is passed thru SMB -- it does
> not get transferred to the Linux side correctly.  But if set there, then it
> gets converted to the execute ACL the right way, and that makes the file
> executable on the Windows side...  I do not know how is it all implemented, though;  it's just my observation.


-- 
With best regards,
Andrey Repin
Tuesday, August 13, 2019 21:22:07

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: SMBFS mount's file cannot be made executable

[Achim Gratz]

Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin writes:
> I think that something's wrong with how (or if) Cygwin translates the
> "x" unix execution permission bit to an ACL that is passed thru SMB --
> it does not get transferred to the Linux side correctly.  But if set
> there, then it gets converted to the execute ACL the right way, and
> that makes the file executable on the Windows side...  I do not know
> how is it all implemented, though; it's just my observation.

If it's related to the ACL handling then it should start working when
you remove the ACL on the file with 'setfacl -kb …'.  On the other hand
you mentioned NetApp, and these can be set up to completely ignore
certain DACL, mode or owner changes from clients (with or without
raising errors while doing so).


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Q+, Q and microQ:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

Thanks for responding!

> You need the "exec" mount option.

I thought so too, but how do I give that option to a drive that is "noumount".  I cannot dis- or re-mount it AFAICT.

$ mount
...
Z: on /cygdrive/z type smbfs (binary,posix=0,user,noumount,auto)
$ umount /cygdrive/z
umount: /cygdrive/z: Invalid argument

Also, I tried to mount the same path elsewhere, and with the "exec" options, and that wouldn't help, either:

$ mount -o exec //coredev2/home/lavr /mnt
$ mount
//coredev2/home/lavr on /mnt type smbfs (binary,exec,user)
...
$ cd /mnt
$ pwd
/mnt
$ gcc a.c
$ ls -l a.exe
-rw-rw-r--+ 1 lavr cppcore 157753 Aug 13 08:20 a.exe
$ ./a.exe
-bash: ./a.exe: Permission denied
(and again, if a.exe is given the "x" perm in the Linux fs, the command above works)

I think that something's wrong with how (or if) Cygwin translates the "x" unix execution permission bit to an ACL that is passed thru SMB -- it does not get transferred to the Linux side correctly.  But if set there, then it gets converted to the execute ACL the right way, and that makes the file executable on the Windows side...  I do not know how is it all implemented, though;  it's just my observation.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: SMBFS mount's file cannot be made executable

[KAVALAGIOS Panagiotis (EEAS-EXT)]

> Hi,
> 
> So nobody has any suggestions per this?
> 
> https://cygwin.com/ml/cygwin/2019-08/msg00126.html

That's strange. The execution of a file is also controlled by the way the filesystem is mounted and the execution permission granted by chmod is not enough. You need the "exec" mount option. On the drives that have the "user" option automatically implies noexec, nosuid, and nodev, unless overridden by the corresponding option without the "no" prefix.

The only issue I can see is that you can execute files on your U: drive and even on your Z: if you give permissions from Linux machine. Maybe Cygwin implementation is not so strict about the permissions.

Panos

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

Hi,

So nobody has any suggestions per this?

https://cygwin.com/ml/cygwin/2019-08/msg00126.html

TIA

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

SMBFS mount's file cannot be made executable

[Lavrentiev, Anton (NIH/NLM/NCBI) [C] via cygwin]

Hi,

Here's the situation, I have a netmount "Z:" but I cannot make any files on it executable from Cygwin:

$ mount
...
Z: on /cygdrive/z type smbfs (binary,posix=0,user,noumount,auto)

$ cd /cygdrive/z

$ pwd
/cygdrive/z

$ cat a.c
#include <stdio.h>

int main()
{
    printf("Hello world!\n");
    return 0;
}

$ gcc -Wall a.c

$ echo $?
0

$ ./a.exe
-bash: ./a.exe: Permission denied

$ ls -l a.exe
-rw-rw-r--+ 1 lavr cppcore 157753 Aug  8 11:29 a.exe

$ getfacl.exe a.exe
# file: a.exe
# owner: lavr
# group: cppcore
user::rw-
user:lavr:rw-
group::r--
group:cppcore:r--
mask::rw-
other::r--

$ chmod a+x a.exe

$ echo $?
0

$ ls -l a.exe
-rw-rw-r--+ 1 lavr cppcore 157753 Aug  8 11:29 a.exe

$ getfacl.exe a.exe
# file: a.exe
# owner: lavr
# group: cppcore
user::rw-
user:lavr:rw-
group::r--
group:cppcore:r--
mask::rw-
other::r--

$ ./a.exe
-bash: ./a.exe: Permission denied

What's missing?  How to make the file executable, and why chmod() lies about all-good when it does nothing?
Any ideas please?

Thanks!

P.S. I have another netmount "drive" (U:) which Cygwin identifies as "netapp", and everything works on that drive,
regarding the execution permission.

U: on /cygdrive/u type netapp (binary,posix=0,user,noumount,auto)

Also, any file that I give the "x" permission from outside Cygwin (e.g. from Linux) on the SMBFS drive "Z:",
becomes executable:

Cygwin> $ gcc -Wall a.c

Linux> $ chmod a+x a.exe

Cygwin> $ ./a.exe
Hello world!


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple