From: Achim Gratz <Stromeko@nexgo.de>
To: cygwin@cygwin.com
Subject: Re: [TESTERS needed] New POSIX permission handling
Date: Sat, 11 Apr 2015 08:47:00 -0000 [thread overview]
Message-ID: <87lhhzcarc.fsf@Rainer.invalid> (raw)
In-Reply-To: <20150410100703.GA4401@calimero.vinschen.de> (Corinna Vinschen's message of "Fri, 10 Apr 2015 12:07:03 +0200")
Corinna Vinschen writes:
> - To accommodate Windows default ACLs, the new code ignores SYSTEM and
> Administrators group permissions when computing the MASK/CLASS_OBJ
> permission mask on old ACLs, and it doesn't deny access to SYSTEM and
> Administrators group based on the value of MASK/CLASS_OBJ when
> creating the new ACLs.
Since you've now opened that can of worms of who is considered "root",
what about "Domain Administrators" or "Power Users", for starters?
> That means, even if SYSTEM or Administrators have full access to the
> file, the POSIX permssion bits will not reflect that fact. And while
> other users get access denied based on the mask value, SYSTEM and
> Administrators will never get access denied based on the mask.
If you want to put this to better use in larger settings it would seem
preferrable if it was possible to define a list of users to treat this
way in fstab. I think this would help with the braindead settings
NetApp filers are set up these days by default. That generally means
that some domain group(s) need to be considered root on the share
depending on which share you are accessing.
> Apart from bugfixing the aforementioned code, there's still work to do
> on the getfacl and setfacl tools:
Sorry to pile another one on here: Currently it's not possible to use -k
and -b on the same invocation. This works just fine on Linux.
Having the newer getfacl / setfacl from *BSD that deals with NFSv4 ACL
might be worth a shot, since at least superficially these seem to match
better to NTFS DACL in scope and would probably bring it more in line
with what icacls would show and do. Before you ask, it has been duly
noted that NFSv4 ACL are somewhat incompatible with POSIX ACL in the
same way that NTFS DACL are… maybe some more info can be gleaned from
those documents:
http://users.suse.com/~agruen/acl/linux-acls/online/
http://users.suse.com/~agruen/nfs4acl/
http://www.ietf.org/archive/id/draft-ietf-nfsv4-acl-mapping-03.txt
http://www.bestbits.at/richacl/draft-gruenbacher-nfsv4-acls-in-posix-00.html
http://docs.oracle.com/cd/E23824_01/html/821-1448/gbacb.html
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
Samples for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2015-04-11 8:47 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-10 10:07 Corinna Vinschen
2015-04-10 21:13 ` Warren Young
2015-04-11 9:35 ` Corinna Vinschen
2015-04-11 0:00 ` Steven Penny
2015-04-11 9:40 ` Corinna Vinschen
2015-04-11 10:07 ` Corinna Vinschen
2015-04-11 16:26 ` Ernie Rael
2015-04-12 8:22 ` Corinna Vinschen
2015-04-11 10:23 ` Corinna Vinschen
2015-04-11 10:47 ` Steven Penny
2015-04-11 14:30 ` Corinna Vinschen
2015-04-11 16:05 ` Andrey Repin
2015-04-12 17:37 ` Adam Dinwoodie
2015-05-16 2:39 ` Steven Penny
2015-05-17 7:44 ` Duncan Roe
2015-05-19 7:52 ` Jiří Engelthaler
2015-04-11 8:47 ` Achim Gratz [this message]
2015-04-11 9:02 ` David Macek
2015-04-11 9:08 ` Achim Gratz
2015-04-11 9:51 ` David Macek
2015-04-11 11:51 ` Achim Gratz
2015-04-11 10:00 ` Corinna Vinschen
2015-04-11 12:36 ` David Macek
2015-04-11 14:31 ` Corinna Vinschen
2015-04-11 9:44 ` Corinna Vinschen
2015-04-11 11:11 ` Bryan Berns
2015-04-11 14:32 ` Corinna Vinschen
2015-04-11 16:05 ` Andrey Repin
2015-04-11 17:11 ` donmez
2015-04-12 8:35 ` Corinna Vinschen
2015-04-12 13:21 ` İsmail Dönmez
2015-04-12 14:25 ` Corinna Vinschen
2015-04-15 15:42 ` Corinna Vinschen
2015-04-16 10:20 ` Ismail Donmez
2015-04-16 11:03 ` Corinna Vinschen
2015-04-16 16:09 ` Ismail Donmez
2015-04-16 16:24 ` Corinna Vinschen
2015-04-16 16:48 ` Ismail Donmez
2015-04-17 7:30 ` Corinna Vinschen
2015-04-17 10:06 ` Corinna Vinschen
2015-04-17 15:17 ` Ismail Donmez
2015-04-17 16:22 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87lhhzcarc.fsf@Rainer.invalid \
--to=stromeko@nexgo.de \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).