Files and folders created with invalid ACL

Files and folders created with invalid ACL

[Thorsten Kampe]

Hello,

I'm experiencing the issue described here[1]: files and folders 
created with Cygwin utilities like touch and mkdir have an 
incorrect ACL ("The access control list (ACL) structure is 
invalid (os error 1336)").

icacls test.txt /verify
test.txt: Ace entries not in canonical order.

Interestingly the issue does not occur with files created in 
the user's Cygwin home directory but - for instance - in the 
Documents folder of the user's Windows profile.

This is a fresh Cygwin installation on a test system. Has 
anyone found a solution?

[1] http://cygwin.1069669.n5.nabble.com/Issues-with-ACL-
settings-after-updating-to-the-latest-cygwin-dll-td124123.html

Re: Files and folders created with invalid ACL

[Eliot Moss]

On 6/21/2020 1:56 PM, Thorsten Kampe wrote:
> Hello,
> 
> I'm experiencing the issue described here[1]: files and folders
> created with Cygwin utilities like touch and mkdir have an
> incorrect ACL ("The access control list (ACL) structure is
> invalid (os error 1336)").
> 
> icacls test.txt /verify
> test.txt: Ace entries not in canonical order.
> 
> Interestingly the issue does not occur with files created in
> the user's Cygwin home directory but - for instance - in the
> Documents folder of the user's Windows profile.
> 
> This is a fresh Cygwin installation on a test system. Has
> anyone found a solution?
> 
> [1] http://cygwin.1069669.n5.nabble.com/Issues-with-ACL-
> settings-after-updating-to-the-latest-cygwin-dll-td124123.html

This is normal, and has to do with how Cygwin arranges to model,
within the Windows ACL permissions system, some features of the
Posix permissions system. Don't "fix" the ACLs - that can make
the Posix functionality break.  While the entries are not in
canonical order, they work fine :-) ...

If you dig deeper into the Cygwin documentation on permissions
handling you can read all the gory details ...

Regards - Eliot Moss

Re: Files and folders created with invalid ACL

[Thorsten Kampe]

* Eliot Moss (Sun, 21 Jun 2020 14:10:21 -0400)
> 
> On 6/21/2020 1:56 PM, Thorsten Kampe wrote:
> > Hello,
> > 
> > I'm experiencing the issue described here[1]: files and folders
> > created with Cygwin utilities like touch and mkdir have an
> > incorrect ACL ("The access control list (ACL) structure is
> > invalid (os error 1336)").
> > 
> > icacls test.txt /verify
> > test.txt: Ace entries not in canonical order.
> > 
> > Interestingly the issue does not occur with files created in
> > the user's Cygwin home directory but - for instance - in the
> > Documents folder of the user's Windows profile.
> > 
> > This is a fresh Cygwin installation on a test system. Has
> > anyone found a solution?
> > 
> > [1] http://cygwin.1069669.n5.nabble.com/Issues-with-ACL-
> > settings-after-updating-to-the-latest-cygwin-dll-td124123.html
> 
> This is normal, and has to do with how Cygwin arranges to model,
> within the Windows ACL permissions system, some features of the
> Posix permissions system. Don't "fix" the ACLs - that can make
> the Posix functionality break.  While the entries are not in
> canonical order, they work fine :-) ...

"The access control list (ACL) structure is invalid (os error 
1336". That's an error and not a cosmetic issue. Other tools 
from the Unix world do not work fine with files that have an 
invalid ACL: <https://github.com/Peltoche/lsd/issues/334
#issuecomment-647119819>

Thorsten

Re: Files and folders created with invalid ACL

[Thorsten Kampe]

* Thorsten Kampe (Sun, 21 Jun 2020 20:42:55 +0200)
> 
> * Eliot Moss (Sun, 21 Jun 2020 14:10:21 -0400)
> > 
> > This is normal, and has to do with how Cygwin arranges to
> > model,
> > within the Windows ACL permissions system, some features of the
> > Posix permissions system. Don't "fix" the ACLs - that can make
> > the Posix functionality break.  While the entries are not in
> > canonical order, they work fine :-) ...
> 
> "The access control list (ACL) structure is invalid (os error 
> 1336". That's an error and not a cosmetic issue. Other tools 
> from the Unix world do not work fine with files that have an 
> invalid ACL: <https://github.com/Peltoche/lsd/issues/334
> #issuecomment-647119819>

I tried the noacl mount option: no change.

Thorsten

Re: Files and folders created with invalid ACL

[Andrey Repin]

Greetings, Thorsten Kampe!

> I'm experiencing the issue described here[1]: files and folders
> created with Cygwin utilities like touch and mkdir have an 
> incorrect ACL ("The access control list (ACL) structure is 
> invalid (os error 1336)").

> icacls test.txt /verify
> test.txt: Ace entries not in canonical order.

This is normal. All conformant drivers MUST be able to correctly process such
ACL's. "Non-canonical" does not mean "invalid".

> Interestingly the issue does not occur with files created in 
> the user's Cygwin home directory but - for instance - in the 
> Documents folder of the user's Windows profile.

> This is a fresh Cygwin installation on a test system. Has 
> anyone found a solution?

> [1] http://cygwin.1069669.n5.nabble.com/Issues-with-ACL-settings-after-updating-to-the-latest-cygwin-dll-td124123.html

Needs more specifics.
How did you set your fstab, particularly cygdrive prefix? Any extra mounts?
How did you modify nsswitch?


-- 
With best regards,
Andrey Repin
Monday, June 22, 2020 20:10:13

Sorry for my terrible english...

Re: Files and folders created with invalid ACL

[Thorsten Kampe]

* Andrey Repin (Mon, 22 Jun 2020 20:20:35 +0300)
> 
> Greetings, Thorsten Kampe!
> 
> > I'm experiencing the issue described here[1]: files and folders
> > created with Cygwin utilities like touch and mkdir have an 
> > incorrect ACL ("The access control list (ACL) structure is 
> > invalid (os error 1336)").
> 
> > icacls test.txt /verify
> > test.txt: Ace entries not in canonical order.
> 
> This is normal. All conformant drivers MUST be able to correctly process such
> ACL's. "Non-canonical" does not mean "invalid".

`lsd` reports an error ("os error 1336"). But that might simply 
be a result of the "non canonical order".
 
> > Interestingly the issue does not occur with files created in 
> > the user's Cygwin home directory but - for instance - in the 
> > Documents folder of the user's Windows profile.
> 
> > This is a fresh Cygwin installation on a test system. Has 
> > anyone found a solution?
> 
> > [1] http://cygwin.1069669.n5.nabble.com/Issues-with-ACL-settings-after-updating-to-the-latest-cygwin-dll-td124123.html
> 
> Needs more specifics.
> How did you set your fstab, particularly cygdrive prefix? Any extra mounts?
> How did you modify nsswitch?

As I wrote, it's a "fresh Cygwin installation on a test 
system" that means the phenomennon is observable directly after 
the installation.

I did some testing: files created in the user's home directory 
(/home/Administrator), the home directory (/home) and other sub 
directories don't show the issue.

If I create a file or directory directly under / or anywhere 
else on the drive, the issue occurs.

If that would be the case on my main workstation, I would be 
fine with that. Unfortunately on my main workstation the issue 
occurs everywhere.

Thorsten

Re: Files and folders created with invalid ACL

[Eliot Moss]

On 6/22/2020 2:08 PM, Thorsten Kampe wrote:
 > * Andrey Repin (Mon, 22 Jun 2020 20:20:35 +0300)
 >>
 >>> icacls test.txt /verify
 >>> test.txt: Ace entries not in canonical order.
 >>
 >> This is normal. All conformant drivers MUST be able to correctly process such
 >> ACL's. "Non-canonical" does not mean "invalid".
 >
 > `lsd` reports an error ("os error 1336"). But that might simply
 > be a result of the "non canonical order".

I agree; lsd seems to be being overly picky, not that you personally
can do much about that.

 >>> Interestingly the issue does not occur with files created in
 >>> the user's Cygwin home directory but - for instance - in the
 >>> Documents folder of the user's Windows profile.
 >>
 >>> This is a fresh Cygwin installation on a test system. Has
 >>> anyone found a solution?
 >>
 >>> [1] 
http://cygwin.1069669.n5.nabble.com/Issues-with-ACL-settings-after-updating-to-the-latest-cygwin-dll-td124123.html
 >>

 >> Needs more specifics.
 >> How did you set your fstab, particularly cygdrive prefix? Any extra mounts?
 >> How did you modify nsswitch?
 >
 > As I wrote, it's a "fresh Cygwin installation on a test
 > system" that means the phenomennon is observable directly after
 > the installation.
 >
 > I did some testing: files created in the user's home directory
 > (/home/Administrator), the home directory (/home) and other sub
 > directories don't show the issue.
 >
 > If I create a file or directory directly under / or anywhere
 > else on the drive, the issue occurs.
 >
 > If that would be the case on my main workstation, I would be
 > fine with that. Unfortunately on my main workstation the issue
 > occurs everywhere.

Maybe you took Andre slightly literally; rephrasing, what are your current
fstab and nsswitch contents?  I would also ask, what do icacls and getfacl
show on your / directory (the some that is the root of the hierarchy where
things aren't working for you)?  It could be that fixing some entry there,
and recursively, will get you to a good state.

Regards - Eliot Moss

Re: Files and folders created with invalid ACL

[Brian Inglis]

On 2020-06-22 13:59, Eliot Moss wrote:
> On 6/22/2020 2:08 PM, Thorsten Kampe wrote:
>> * Andrey Repin (Mon, 22 Jun 2020 20:20:35 +0300)
>>>
>>>> icacls test.txt /verify
>>>> test.txt: Ace entries not in canonical order.
>>>
>>> This is normal. All conformant drivers MUST be able to correctly process such
>>> ACL's. "Non-canonical" does not mean "invalid".
>>
>> `lsd` reports an error ("os error 1336"). But that might simply
>> be a result of the "non canonical order".
> 
> I agree; lsd seems to be being overly picky, not that you personally
> can do much about that.
> 
>>>> Interestingly the issue does not occur with files created in
>>>> the user's Cygwin home directory but - for instance - in the
>>>> Documents folder of the user's Windows profile.
>>>
>>>> This is a fresh Cygwin installation on a test system. Has
>>>> anyone found a solution?
>>>
>>>> [1]
> http://cygwin.1069669.n5.nabble.com/Issues-with-ACL-settings-after-updating-to-the-latest-cygwin-dll-td124123.html
> 
>>>
> 
>>> Needs more specifics.
>>> How did you set your fstab, particularly cygdrive prefix? Any extra mounts?
>>> How did you modify nsswitch?
>>
>> As I wrote, it's a "fresh Cygwin installation on a test
>> system" that means the phenomennon is observable directly after
>> the installation.
>>
>> I did some testing: files created in the user's home directory
>> (/home/Administrator), the home directory (/home) and other sub
>> directories don't show the issue.
>>
>> If I create a file or directory directly under / or anywhere
>> else on the drive, the issue occurs.
>>
>> If that would be the case on my main workstation, I would be
>> fine with that. Unfortunately on my main workstation the issue
>> occurs everywhere.
> 
> Maybe you took Andre slightly literally; rephrasing, what are your current
> fstab and nsswitch contents?  I would also ask, what do icacls and getfacl
> show on your / directory (the some that is the root of the hierarchy where
> things aren't working for you)?  It could be that fixing some entry there,
> and recursively, will get you to a good state.

Often setfacl -b on files may reduce the ACLs to simple canonical entries
u::rw[-x],g::r-[-x],o::r-[-x]

	.\$USER:(F)
	BUILTIN\$GROUP:(RX)
	Everyone:(RX)

but you have to be careful that the same operation on directories keeps the
DACLs d:u::rwx,d:g::r-x,d:o::r-x

	.\$USER:(F)
	BUILTIN\$GROUP:(RX)
	Everyone:(RX)
	CREATOR OWNER:(OI)(CI)(IO)(F)
	CREATOR GROUP:(OI)(CI)(IO)(RX)
	Everyone:(OI)(CI)(IO)(RX)

as if the DACLs get stripped, files created under those directories often have
*NO* permissions: making them create only directories.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]

Re: Files and folders created with invalid ACL

[Eliot Moss]

On 6/22/2020 3:59 PM, Eliot Moss wrote:
> On 6/22/2020 2:08 PM, Thorsten Kampe wrote:

> Maybe you took Andre slightly literally; rephrasing, what are your current

Should have read "Andrey"!  Eliot