From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 82157 invoked by alias); 11 Apr 2015 11:51:20 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 82148 invoked by uid 89); 11 Apr 2015 11:51:19 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mail-in-07.arcor-online.net Received: from mail-in-07.arcor-online.net (HELO mail-in-07.arcor-online.net) (151.189.21.47) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (CAMELLIA256-SHA encrypted) ESMTPS; Sat, 11 Apr 2015 11:51:17 +0000 Received: from mail-in-10-z2.arcor-online.net (mail-in-10-z2.arcor-online.net [151.189.8.27]) by mx.arcor.de (Postfix) with ESMTP id 3lPF0f0lJQz87H5 for ; Sat, 11 Apr 2015 13:51:14 +0200 (CEST) Received: from mail-in-13.arcor-online.net (mail-in-13.arcor-online.net [151.189.21.53]) by mail-in-10-z2.arcor-online.net (Postfix) with ESMTP id 17DA446F726 for ; Sat, 11 Apr 2015 13:51:14 +0200 (CEST) X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-13.arcor-online.net 3lPF0d70JmzJMGs Received: from Gertrud (p54B7F119.dip0.t-ipconnect.de [84.183.241.25]) (Authenticated sender: stromeko@arcor.de) by mail-in-13.arcor-online.net (Postfix) with ESMTPSA id 3lPF0d70JmzJMGs for ; Sat, 11 Apr 2015 13:51:13 +0200 (CEST) From: Achim Gratz To: cygwin@cygwin.com Subject: Re: [TESTERS needed] New POSIX permission handling References: <20150410100703.GA4401@calimero.vinschen.de> <87lhhzcarc.fsf@Rainer.invalid> <5528E2ED.7090105@gmail.com> <87d23bc9r5.fsf@Rainer.invalid> <5528EE66.8070305@gmail.com> Date: Sat, 11 Apr 2015 11:51:00 -0000 In-Reply-To: <5528EE66.8070305@gmail.com> (David Macek's message of "Sat, 11 Apr 2015 11:50:30 +0200") Message-ID: <878udydgsy.fsf@Rainer.invalid> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-SW-Source: 2015-04/txt/msg00204.txt.bz2 David Macek writes: > https://technet.microsoft.com/en-us/library/cc776499(v=ws.10).aspx > says otherwise about the group-in-group rights. As I see it, nesting groups is just a more efficient way of populating them, so by expanding the nested groups recursively you'll end up with the effective set of users that have those rights. But if I have a DACL permission for "Domain Admins" that still doesn't mean that "Administrators" (the group) gets access. The other way around (intentionally) works, by virtue of "Domain Admins" being a member of "Administrators". Also, "Administrator" (the account) is by default a member of both "Administrators" and "Domain Administrators", which is a bit confusing. > The way I see it, the point of the code change was to prevent the > "implicit" Administrators and SYSTEM DACL entries from showing up in > the computed POSIX access mask because they nicely match the implicit > rights root accounts have on POSIX systems and because they're > unhelpful and sometimes problematic. My point is that the interpretation of who gets to call himself "root" in that analogy is quite fuzzy and sometimes depends on the filesystem you look at. The choice proffered by Cygwin now is mostly correct for local file systems, but not necessarily for network shares (and most certainly not for a few important ones I'll have to deal with). The fallback will be to mount with "noacl" as before, something I had hoped would no longer be necessary. I have a few applications where the faked file modes simply don't cut it and so far I've been lucky that either the shares these need to be on are configured differently by default (like my home "drive") or I could convince IT to give me something non-standard. But the next round of filer or server upgrades or changed security policies might leave me stranded, so I'm really not too keen to rely on that indefinitely. > As neither Domain Administrators nor Power Users have this combination > of properties (presence on most filesystem objects by default and > SeTakeOwnershipPrivilege), I think it's useful to have them appear in > the mask. For isolated systems and small networks, this is wholly sufficient. Large networked installations have, for better or worse, more complicated setups. Again, I see a lot of cruft that likely wouldn't be necessary and is probably largely historical, but some of it really can't be changed. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf Blofeld V1.15B11: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple