I'm having problems with cygwin 1.7 and ACL handling.

I'm having problems with cygwin 1.7 and ACL handling.

[Mark Lommers]

Hi,

I'm having problems with cygwin 1.7 and ACL handling.

I do some software development and for the software I write I also create unit tests. Those unit test are run automatically in a cygwin environment triggered by a build system. Now I'm updating the machines on which the unit tests are running, from windows XP to Windows Server 2008 and from cygwin 1.5 to cygwin 1.7. Since this update some unit tests are failing. 

All the failing unit tests have in common that they do something with ACL:

For some test we change the access control list like:

      acl.AddAccessRule(new System.Security.AccessControl.FileSystemAccessRule(WindowsIdentity.GetCurrent().Name
        , System.Security.AccessControl.FileSystemRights.FullControl
        , System.Security.AccessControl.AccessControlType.Deny));
       SandboxedDirectory.SetAccessControl(acl);

Then in the test we try to create a directory inside the sandboxed directory and check that the right exception has been thrown because it shouldn't be able to do so. 


On windows XP with cygwin version 1.5 everything was working OK

Now we are upgrading to windows server 2008 so we also need to update to cygwin 1.7, the test are starting to fail, because they are able to create directories in the sandboxed directory.

I know/read that from cygwin 1.7 cygwin uses mount point with corresponding acl/noacl flags and no longer using the ntsec and nontsec flags in the CYGWIN environment variable.

I tried to change the mounting point to set noacl and acl but this didn't had any effect.

On the OLD xp machines with cygwin 1.5 the CYGWIN variable was set to nontsec

In CMD prompt test run fine.
In a bash prompt test fail.
In a cmd prompt started from a bash prompt test also fail.

Not running in a cygwin environment is not an option for now!

Any Idea what to do?

Regards
Mark

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: I'm having problems with cygwin 1.7 and ACL handling.

[Corinna Vinschen]

On Jul  2 17:56, Mark Lommers wrote:
> Hi,
> 
> I'm having problems with cygwin 1.7 and ACL handling.
> 
> I do some software development and for the software I write I also create unit tests. Those unit test are run automatically in a cygwin environment triggered by a build system. Now I'm updating the machines on which the unit tests are running, from windows XP to Windows Server 2008 and from cygwin 1.5 to cygwin 1.7. Since this update some unit tests are failing. 
> 
> All the failing unit tests have in common that they do something with ACL:
> 
> For some test we change the access control list like:
> 
>       acl.AddAccessRule(new System.Security.AccessControl.FileSystemAccessRule(WindowsIdentity.GetCurrent().Name
>         , System.Security.AccessControl.FileSystemRights.FullControl
>         , System.Security.AccessControl.AccessControlType.Deny));
>        SandboxedDirectory.SetAccessControl(acl);
> 
> Then in the test we try to create a directory inside the sandboxed directory and check that the right exception has been thrown because it shouldn't be able to do so. 
> 
> 
> On windows XP with cygwin version 1.5 everything was working OK
> 
> Now we are upgrading to windows server 2008 so we also need to update to cygwin 1.7, the test are starting to fail, because they are able to create directories in the sandboxed directory.
> 
> I know/read that from cygwin 1.7 cygwin uses mount point with corresponding acl/noacl flags and no longer using the ntsec and nontsec flags in the CYGWIN environment variable.
> 
> I tried to change the mounting point to set noacl and acl but this didn't had any effect.
> 
> On the OLD xp machines with cygwin 1.5 the CYGWIN variable was set to nontsec
> 
> In CMD prompt test run fine.
> In a bash prompt test fail.
> In a cmd prompt started from a bash prompt test also fail.
> 
> Not running in a cygwin environment is not an option for now!
> 
> Any Idea what to do?

Are you running the tests under an elevated admin account?  If so, the
reason you are able to create dirs is that the SE_BACKUP_NAME and
SE_RESTORE_NAME user privileges are enabled when running in a Cygwin
environment.

Don't run the affected tests from an elevated session or strip the
privileges from the user token using the cygdrop tool from the cygutils
package when running these tests.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: I'm having problems with cygwin 1.7 and ACL handling.

[Richard Gribble]

This may not work for you, but what I had to do was to mount the
drives with the noacl option.

This problem first surfaced for me when the server was upgraded from
Windows 2003 Standard to Windows 2003 R2 Standard, and was noticeable
in RCS where I couldn't check out files because I couldn't create the
necessary temp files.  I worked on it for several weeks with the IT
person, and there was no way we could it to work.  The privileges
matched precisely (under Windows) - the only way I could do it was to
be an administrator (and that wasn't going to happen).


Hope this helps,

Richard.

On Mon, Jul 2, 2012 at 11:56 AM, Mark Lommers
<mark.lommers@civolution.com> wrote:
>
> Hi,
>
> I'm having problems with cygwin 1.7 and ACL handling.
>
> I do some software development and for the software I write I also create unit tests. Those unit test are run automatically in a cygwin environment triggered by a build system. Now I'm updating the machines on which the unit tests are running, from windows XP to Windows Server 2008 and from cygwin 1.5 to cygwin 1.7. Since this update some unit tests are failing.
>
> All the failing unit tests have in common that they do something with ACL:
>
> For some test we change the access control list like:
>
>       acl.AddAccessRule(new System.Security.AccessControl.FileSystemAccessRule(WindowsIdentity.GetCurrent().Name
>         , System.Security.AccessControl.FileSystemRights.FullControl
>         , System.Security.AccessControl.AccessControlType.Deny));
>        SandboxedDirectory.SetAccessControl(acl);
>
> Then in the test we try to create a directory inside the sandboxed directory and check that the right exception has been thrown because it shouldn't be able to do so.
>
>
> On windows XP with cygwin version 1.5 everything was working OK
>
> Now we are upgrading to windows server 2008 so we also need to update to cygwin 1.7, the test are starting to fail, because they are able to create directories in the sandboxed directory.
>
> I know/read that from cygwin 1.7 cygwin uses mount point with corresponding acl/noacl flags and no longer using the ntsec and nontsec flags in the CYGWIN environment variable.
>
> I tried to change the mounting point to set noacl and acl but this didn't had any effect.
>
> On the OLD xp machines with cygwin 1.5 the CYGWIN variable was set to nontsec
>
> In CMD prompt test run fine.
> In a bash prompt test fail.
> In a cmd prompt started from a bash prompt test also fail.
>
> Not running in a cygwin environment is not an option for now!
>
> Any Idea what to do?
>
> Regards
> Mark
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: I'm having problems with cygwin 1.7 and ACL handling.

[Corinna Vinschen]

On Jul  5 12:02, Mark Lommers wrote:
> Hi Corinna,
> 
> Thanks for your tip, it pointed me to the right direction.
> 
> When calling the test now with 
> 
> 	cygdrop -P backup -P restore test.exe 
> 
> the test is running fine. 
> 
> Is it also possible to drop this privileges by default?

No, sorry.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: I'm having problems with cygwin 1.7 and ACL handling.

[Mark Lommers]

Hi Corinna,

Thanks for your tip, it pointed me to the right direction.

When calling the test now with 

	cygdrop -P backup -P restore test.exe 

the test is running fine. 

Is it also possible to drop this privileges by default? when logging in via ssh or using the cygwin bash? If so I don't have to change my scripts which call the test, but can configure it on the system itself.

Regards,
Mark

Re: I'm having problems with cygwin 1.7 and ACL handling.

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Mon, 2 Jul 2012 18:04:52 +0200
Subject: Re: I'm having problems with cygwin 1.7 and ACL handling.
References: <0260B13BA0AA1A4693F4245FC28FD77705EC62CC1C@CVL-SVR-002>
Reply-to: cygwin at cygwin dot com
On Jul  2 17:56, Mark Lommers wrote:
> Hi,
> 
> I'm having problems with cygwin 1.7 and ACL handling.
> 
> I do some software development and for the software I write I also create unit tests. Those unit test are run automatically in a cygwin environment triggered by a build system. Now I'm updating the machines on which the unit tests are running, from windows XP to Windows Server 2008 and from cygwin 1.5 to cygwin 1.7. Since this update some unit tests are failing. 
> 
> All the failing unit tests have in common that they do something with ACL:
> 
> For some test we change the access control list like:
> 
> ÂÂÂÂÂ acl.AddAccessRule(new System.Security.AccessControl.FileSystemAccessRule(WindowsIdentity.GetCurrent().Name
> ÂÂÂÂÂÂÂ , System.Security.AccessControl.FileSystemRights.FullControl
> ÂÂÂÂÂÂÂ , System.Security.AccessControl.AccessControlType.Deny));
>        SandboxedDirectory.SetAccessControl(acl);
> 
> Then in the test we try to create a directory inside the sandboxed directory and check that the right exception has been thrown because it shouldn't be able to do so. 
> 
> 
> On windows XP with cygwin version 1.5 everything was working OK
> 
> Now we are upgrading to windows server 2008 so we also need to update to cygwin 1.7, the test are starting to fail, because they are able to create directories in the sandboxed directory.
> 
> I know/read that from cygwin 1.7 cygwin uses mount point with corresponding acl/noacl flags and no longer using the ntsec and nontsec flags in the CYGWIN environment variable.
> 
> I tried to change the mounting point to set noacl and acl but this didn't had any effect.
> 
> On the OLD xp machines with cygwin 1.5 the CYGWIN variable was set to nontsec
> 
> In CMD prompt test run fine.
> In a bash prompt test fail.
> In a cmd prompt started from a bash prompt test also fail.
> 
> Not running in a cygwin environment is not an option for now!
> 
> Any Idea what to do?

Are you running the tests under an elevated admin account?  If so, the
reason you are able to create dirs is that the SE_BACKUP_NAME and
SE_RESTORE_NAME user privileges are enabled when running in a Cygwin
environment.

Don't run the affected tests from an elevated session or strip the
privileges from the user token using the cygdrop tool from the cygutils
package when running these tests.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple