[ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

Hi Cygwin friends and users,


New 2.0.0-0.3 test release.  It's supposed to fix the pty chmod problem
reported in https://cygwin.com/ml/cygwin/2015-04/msg00240.html

Other than that...

The important change in this release is the POSIX permission handling
change, a rewrite of the underlying routines reading and creating
Windows ACLs following POSIX permission rules and POSIX ACL creating
rules per POSIX 1003.1e draft 17, as on Linux.

For a description of POSIX ACLs, see http://linux.die.net/man/5/acl


All changes in this release so far:
===================================

- New, unified implementation of POSIX permission and ACL handling.  The
  new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and
  they allow to inherit the S_ISGID bit.  ACL inheritance now really
  works as desired, in a limited, but theoretically equivalent fashion
  even for non-Cygwin processes.

  To accommodate Windows default ACLs, the new code ignores SYSTEM and
  Administrators group permissions when computing the MASK/CLASS_OBJ
  permission mask on old ACLs, and it doesn't deny access to SYSTEM and
  Administrators group based on the value of MASK/CLASS_OBJ when
  creating the new ACLs.
  
  The new code now handles the S_ISGID bit on directories as on Linux:
  Setting S_ISGID on a directory causes new files and subdirs created
  within to inherit its group, rather than the primary group of the user
  who created the file.  This only works for files and directories
  created by Cygwin processes.
  
- basename(3) now comes in two flavors, POSIX and GNU.  The POSIX version is
  the default.  You get the GNU version after
  
    #define _GNU_SOURCE
    #include <string.h> 

- The maximum number of PTYs has been raised from 64 to 128.


Bug Fixes
---------
  
- Fix potential hang in pseudo ttys when generating ECHO output while the slave
  is flooding the pty with output.
  Addresses: https://cygwin.com/ml/cygwin/2015-03/msg00019.html
  
- Fix potential premature SIGHUP in pty code.
  Addresses: https://cygwin.com/ml/cygwin/2015-03/msg00070.html
  
- Fix a name change from symlink to target name in calls to execvp, system, etc.
  Addresses: https://cygwin.com/ml/cygwin/2015-03/msg00270.html
      
- Fix internal error in pty -ONLCR handling.  Fix timing bug in pty OPOST 
  handling.
  Addresses: https://cygwin.com/ml/cygwin/2015-02/msg00929.html

  NOTE: This change introduces a not yet addressed regression.
  Native Windows tools generating output with Unix LF instead of
  Windows CRLF line endings will not get OPOST handling.  This
  prominently affects icacls.

- Avoid creating passwd and group records from fully qualified Windows
  account names (domain\name, name@domain).
  Addresses: https://cygwin.com/ml/cygwin/2015-03/msg00528.html

- Avoid potential crash at startup or in getgroups(2).
  Addresses: https://cygwin.com/ml/cygwin/2015-04/msg00010.html

- Fix UTF-16 surrogate handling in wctomb and friends.
  Addresses: https://cygwin.com/ml/cygwin/2015-03/msg00452.html


To install 32-bit Cygwin use https://cygwin.com/setup-x86.exe
To install 64 bit Cygwin use https://cygwin.com/setup-x86_64.exe

If you're already running a 32 bit version of Cygwin on 64 bit Windows
machines, you can continue to do so.  If you're planning a new install
of Cygwin on a 64 bit Windows machine, consider to use the new 64 bit
Cygwin version, unless you need certain packages not yet available in
the 64 bit release.


Have fun,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Bryan Berns]

On Sun, Apr 12, 2015 at 3:17 PM, Corinna Vinschen
<corinna-cygwin@cygwin.com> wrote:
> Hi Cygwin friends and users,
>
>
> New 2.0.0-0.3 test release.  It's supposed to fix the pty chmod problem
> reported in https://cygwin.com/ml/cygwin/2015-04/msg00240.html
>

Just a note: In 2.0.0-0.2, creating a file using touch on the root of
one of my drives resulted in the with the Windows GUI Security tabs
complaining about ACE order on the resultant file.  In 2.0.0-0.3,
Windows does not complain and the ACL looks quite a bit different
(shown below).  Not sure if this is a problem or not --- just wanted
to report the difference in case your fix had an unintended side
affect.  Given my heart skips a beat when I see DENY ACEs, I like the
new behavior behavior better.

V:\>icacls v:
v: BUILTIN\Administrators:(OI)(CI)(F)
   NT AUTHORITY\SYSTEM:(OI)(CI)(F)
   NT AUTHORITY\Authenticated Users:(OI)(CI)(M)
   BUILTIN\Users:(OI)(CI)(RX)

Output from file created from 2.0.0-0.3:

V:\>icacls touch-from-3
touch-from-3 DOMAIN\Administrator:(R,W,D,WDAC,WO)
             DOMAIN\Domain Users:(R)
             Everyone:(R)
             BUILTIN\Administrators:(F)
             NT AUTHORITY\SYSTEM:(F)
             NT AUTHORITY\Authenticated Users:(M)
             BUILTIN\Users:(RX)

Successfully processed 1 files; Failed processing 0 files

Output from file created from 2.0.0-0.2:

V:\>icacls touch-from-2
touch-from-2 NULL SID:(DENY)(Rc,S,WEA,X,DC)
             DOMAIN\Administrator:(R,W,D,WDAC,WO)
             DOMAIN\Domain Users:(DENY)(S,X)
             NT AUTHORITY\Authenticated Users:(DENY)(S,X)
             BUILTIN\Users:(DENY)(S,X)
             DOMAIN\Domain Users:(RX)
             NT AUTHORITY\Authenticated Users:(RX,W)
             NT AUTHORITY\SYSTEM:(RX,W)
             BUILTIN\Administrators:(RX,W)
             BUILTIN\Users:(RX)
             Everyone:(R)

Successfully processed 1 files; Failed processing 0 files

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 3067 bytes --]

On Apr 12 17:19, Bryan Berns wrote:
> On Sun, Apr 12, 2015 at 3:17 PM, Corinna Vinschen
> <corinna-cygwin@cygwin.com> wrote:
> > Hi Cygwin friends and users,
> >
> >
> > New 2.0.0-0.3 test release.  It's supposed to fix the pty chmod problem
> > reported in https://cygwin.com/ml/cygwin/2015-04/msg00240.html
> >
> 
> Just a note: In 2.0.0-0.2, creating a file using touch on the root of
> one of my drives resulted in the with the Windows GUI Security tabs
> complaining about ACE order on the resultant file.  In 2.0.0-0.3,
> Windows does not complain and the ACL looks quite a bit different
> (shown below).  Not sure if this is a problem or not --- just wanted
> to report the difference in case your fix had an unintended side
> affect.  Given my heart skips a beat when I see DENY ACEs, I like the
> new behavior behavior better.

Deny ACEs, if used correctly, are ok.  Cygwin needs them to implement
the POSIX ACL MASK value.  Consider:

  mask:      rw-
  user foo:  r-x
             ---
  effective: r--

Cygwin needs to know that user foo has real permission r-x, so
the ALLOW ACE contains (RX).  But the mask value forbids write
perms, so the user gets a DENY ACE, along these lines:

  MASK:      rwx
  foo DENY:  --x
  foo ALLOW: r-x

So the effective permissions for user foo are r--, while Cygwin
still knows that the actual permissions are r-x.

> V:\>icacls v:
> v: BUILTIN\Administrators:(OI)(CI)(F)
>    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
>    NT AUTHORITY\Authenticated Users:(OI)(CI)(M)
>    BUILTIN\Users:(OI)(CI)(RX)
> 
> Output from file created from 2.0.0-0.3:
> 
> V:\>icacls touch-from-3
> touch-from-3 DOMAIN\Administrator:(R,W,D,WDAC,WO)
>              DOMAIN\Domain Users:(R)
>              Everyone:(R)
>              BUILTIN\Administrators:(F)
>              NT AUTHORITY\SYSTEM:(F)
>              NT AUTHORITY\Authenticated Users:(M)
>              BUILTIN\Users:(RX)

I don't believe this is an ACL created by Cygwin 2.0.0 at all.
It's missing the NULL deny ACE.

> Successfully processed 1 files; Failed processing 0 files
> 
> Output from file created from 2.0.0-0.2:
> 
> V:\>icacls touch-from-2
> touch-from-2 NULL SID:(DENY)(Rc,S,WEA,X,DC)
>              DOMAIN\Administrator:(R,W,D,WDAC,WO)
>              DOMAIN\Domain Users:(DENY)(S,X)
>              NT AUTHORITY\Authenticated Users:(DENY)(S,X)
>              BUILTIN\Users:(DENY)(S,X)
>              DOMAIN\Domain Users:(RX)
>              NT AUTHORITY\Authenticated Users:(RX,W)
>              NT AUTHORITY\SYSTEM:(RX,W)
>              BUILTIN\Administrators:(RX,W)
>              BUILTIN\Users:(RX)
>              Everyone:(R)

The ACL looks vaguely ok, but I'd need to know the owner, group,
and what Cygwin thinks the ACLs look like in POSIX speak (getfacl
output).

I'm AFK most of today, though, so a reply may take a while...


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1507 bytes --]

On Apr 13 09:17, Corinna Vinschen wrote:
> On Apr 12 17:19, Bryan Berns wrote:
> > On Sun, Apr 12, 2015 at 3:17 PM, Corinna Vinschen
> > <corinna-cygwin@cygwin.com> wrote:
> > > Hi Cygwin friends and users,
> > >
> > >
> > > New 2.0.0-0.3 test release.  It's supposed to fix the pty chmod problem
> > > reported in https://cygwin.com/ml/cygwin/2015-04/msg00240.html
> > >
> > 
> > Just a note: In 2.0.0-0.2, creating a file using touch on the root of
> > one of my drives resulted in the with the Windows GUI Security tabs
> > complaining about ACE order on the resultant file.

I forgot to mention:  Yes, that's expected for some ACLs.  Cygwin tries
to minimize the number of DENY ACEs, but depending on the permissions
and the MASK value you end up with something like this:

  NULL DENY
  USER 1 DENY
  USER 2 DENY
  ...
  USER 1 ALLOW
  USER 2 ALLOW
  ...
  GROUP 1 DENY
  GROUP 2 DENY
  ...
  GROUP 1 ALLOW
  GROUP 2 ALLOW
  ...
  OTHER ALLOW

  Rinse and repeate with default (aka "inheritable") permissions.

This or some other, similar technique is required to reproduce POSIX
ACLs with Windows ACLs.  Don't let the Windows GUI reorder them to
generate the "canonical" (but incomplete) order.  This is along the
same lines as described in
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-files


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Bryan Berns]

> On Apr 12 17:19, Bryan Berns wrote:
>> On Sun, Apr 12, 2015 at 3:17 PM, Corinna Vinschen
>> <corinna-cygwin@cygwin.com> wrote:
>>
>> V:\>icacls touch-from-3
>> touch-from-3 DOMAIN\Administrator:(R,W,D,WDAC,WO)
>>              DOMAIN\Domain Users:(R)
>>              Everyone:(R)
>>              BUILTIN\Administrators:(F)
>>              NT AUTHORITY\SYSTEM:(F)
>>              NT AUTHORITY\Authenticated Users:(M)
>>              BUILTIN\Users:(RX)
>
> I don't believe this is an ACL created by Cygwin 2.0.0 at all.
> It's missing the NULL deny ACE.

Now that I'm testing again, I think you're right; I had an older
installation on my backup drive try that I think somehow tainted one
of my sessions.  I'll include version information in my output in the
future.  Sorry!

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1850 bytes --]

On Apr 15 09:46, Houder wrote:
> %% getfacl alfa
> # file: alfa
> # owner: Test
> # group: None
> user::r--
> group::rw-
> other:---
> 
> %% icacls.sh alfa
> E:/Cygwin-test/home/Test/alfa
>    Owner: Test, Group: None
>    NULL SID                           (DENY)(Rc,S)
>    Seven\Test                         (DENY)(S,WD,AD,WEA,DC)
>    Seven\Test                         (R,D,WDAC,WO,WA)
>    Seven\None                         (R,W)
>    Everyone                           (Rc,S,RA)
> Successfully processed 1 files; Failed processing 0 files
> 
> %% ls -ld .
> drwxr-xr-x+ 1 Test None 0 Apr 14 19:39 .
> 
> %% getfacl .
> # file: .
> # owner: Test
> # group: None
> user::rwx
> group::r-x
> other:r-x
> default:user::rwx
> default:group::r-x
> default:other:r-x
> 
> %% icacls.sh .
> E:/Cygwin-test/home/Test/
>    Owner: Test, Group: None
>    NULL SID                           (DENY)(Rc,S)
>    Seven\Test                         (F)
>    Seven\None                         (RX)
>    Everyone                           (RX)
>    NULL SID                           (OI)(CI)(IO)(DENY)(Rc,S)
>    CREATOR OWNER                      (OI)(CI)(IO)(F)
>    CREATOR GROUP                      (OI)(CI)(IO)(RX)
>    Everyone                           (OI)(CI)(IO)(RX)
> Successfully processed 1 files; Failed processing 0 files
> 
> Whether or not the DACLs of file alfa and parent directory make sense, I must
> rely on your wisdom ...

They do look good to me.  I'm just wondering if I shouldn't drop the
NULL ACE if there's neither one of the special POSIX permission bits
(S_ISUID, S_ISGID, S_ISVTX) nor a CLASS_OBJ.  Hmm.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Houder]

> On Apr 14 20:38, Houder wrote:
>> > On Apr 14 18:32, Houder wrote:
>> >> Btw, I will only report back on this in case you are INcorrect above.
>> >
>> > Uhm... I wouldn't be too unhappy to get positive feedback as well...
>>
>> Oh well, alright, I tried to save us both some time :-)
>>
>> Reinstalled the whole shebang, and re-executed my test. This time I was
>> NOT surprised.
>
> Cool, thanks!  Did you inspect the ACLs for directories and files?
> Do they make sense?

Oops, better make a proper report next time :-)

%% pwd
/home/Test
%% ls -l
total 1
-r--rw---- 1 Test None 6 Apr 14 19:40 alfa

%% getfacl alfa
# file: alfa
# owner: Test
# group: None
user::r--
group::rw-
other:---

%% icacls.sh alfa
E:/Cygwin-test/home/Test/alfa
   Owner: Test, Group: None
   NULL SID                           (DENY)(Rc,S)
   Seven\Test                         (DENY)(S,WD,AD,WEA,DC)
   Seven\Test                         (R,D,WDAC,WO,WA)
   Seven\None                         (R,W)
   Everyone                           (Rc,S,RA)
Successfully processed 1 files; Failed processing 0 files

%% ls -ld .
drwxr-xr-x+ 1 Test None 0 Apr 14 19:39 .

%% getfacl .
# file: .
# owner: Test
# group: None
user::rwx
group::r-x
other:r-x
default:user::rwx
default:group::r-x
default:other:r-x

%% icacls.sh .
E:/Cygwin-test/home/Test/
   Owner: Test, Group: None
   NULL SID                           (DENY)(Rc,S)
   Seven\Test                         (F)
   Seven\None                         (RX)
   Everyone                           (RX)
   NULL SID                           (OI)(CI)(IO)(DENY)(Rc,S)
   CREATOR OWNER                      (OI)(CI)(IO)(F)
   CREATOR GROUP                      (OI)(CI)(IO)(RX)
   Everyone                           (OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files

Whether or not the DACLs of file alfa and parent directory make sense, I must
rely on your wisdom ...

Regards,

Henri

=====


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

On Apr 14 20:38, Houder wrote:
> > On Apr 14 18:32, Houder wrote:
> >> Btw, I will only report back on this in case you are INcorrect above.
> >
> > Uhm... I wouldn't be too unhappy to get positive feedback as well...
> 
> Oh well, alright, I tried to save us both some time :-)
> 
> Reinstalled the whole shebang, and re-executed my test. This time I was
> NOT surprised.

Cool, thanks!  Did you inspect the ACLs for directories and files?
Do they make sense?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Houder]

> On Apr 14 18:32, Houder wrote:
>> Btw, I will only report back on this in case you are INcorrect above.
>
> Uhm... I wouldn't be too unhappy to get positive feedback as well...

Oh well, alright, I tried to save us both some time :-)

Reinstalled the whole shebang, and re-executed my test. This time I was
NOT surprised.

(only for the 32-bits version of Cygwin)

Thank you!

Regards,

Henri


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1545 bytes --]

On Apr 14 18:32, Houder wrote:
> > On Apr 14 17:26, Houder wrote:
> >> >        Everyone:(Rc,S,RA)
> >> >
> >> > The only reason I can think of is that the parent dir has default
> >> > permissions which imply the mask value already.  So, what does
> >> > `icacls . | cat' in this directory print?
> >>
> >> %% icacls . | cat
> >> . NULL SID:(DENY)(Rc,S,REA,X,DC)
> >>   Seven\Test:(F)
> >>   Seven\None:(RX)
> >>   Everyone:(RX)
> >>   NULL SID:(OI)(CI)(IO)(DENY)(Rc,S,REA,X,DC)
> >
> > As I thought.  There's a mask value already in there which influences
> > how the default permissions are inherited.  You created this dir with
> > Cygwin 2.0 already, right?  Remove the masks with
> 
> You created this dir with Cygwin 2.0 already, right? Correct! I did not
> occur to me to start all over again ...

No, me neither, sorry.

> >   $ setfacl -d m:,d:m: .
> >
> > and try again.
> >
> >>   CREATOR OWNER:(OI)(CI)(IO)(F)
> >>   CREATOR GROUP:(OI)(CI)(IO)(RX)
> >>   Everyone:(OI)(CI)(IO)(RX)
> >
> > This *should* work now.  I fear you have to remove the masks from
> > all files and dirs created by Cygwin 2.0.  Sorry, but that's what
> > testing is for ;}
> 
> No problem at all ...
> 
> Btw, I will only report back on this in case you are INcorrect above.

Uhm... I wouldn't be too unhappy to get positive feedback as well...


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Houder]

> On Apr 14 17:26, Houder wrote:
>> >        Everyone:(Rc,S,RA)
>> >
>> > The only reason I can think of is that the parent dir has default
>> > permissions which imply the mask value already.  So, what does
>> > `icacls . | cat' in this directory print?
>>
>> %% icacls . | cat
>> . NULL SID:(DENY)(Rc,S,REA,X,DC)
>>   Seven\Test:(F)
>>   Seven\None:(RX)
>>   Everyone:(RX)
>>   NULL SID:(OI)(CI)(IO)(DENY)(Rc,S,REA,X,DC)
>
> As I thought.  There's a mask value already in there which influences
> how the default permissions are inherited.  You created this dir with
> Cygwin 2.0 already, right?  Remove the masks with

You created this dir with Cygwin 2.0 already, right? Correct! I did not
occur to me to start all over again ...

>   $ setfacl -d m:,d:m: .
>
> and try again.
>
>>   CREATOR OWNER:(OI)(CI)(IO)(F)
>>   CREATOR GROUP:(OI)(CI)(IO)(RX)
>>   Everyone:(OI)(CI)(IO)(RX)
>
> This *should* work now.  I fear you have to remove the masks from
> all files and dirs created by Cygwin 2.0.  Sorry, but that's what
> testing is for ;}

No problem at all ...

Btw, I will only report back on this in case you are INcorrect above.

Henri


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1333 bytes --]

On Apr 14 15:35, Achim Gratz wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > Yes, perfectly normal and that already occured with older ACLs
> > created by Cygwin:
> > 
> > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-files
> > 
> > Don't reorder them.
> 
> Ah, OK.  I must have been lucky not to encounter them so far.

The order is only supposed to become non-canonical if user(s)
have less permissions than group(s), and if group(s) have more
permissions than the MASK value and less permisssions than "other".
In these cases, DENY ACEs have to be generated to create an ACE which
fully supports POSIX permissions.

However, the DENY ACEs for groups must not precede the ALLOW ACEs for
USERs due to the way permissions are handled by the OS.  "Canonical"
ACLs just don't allow to fully express POSIX permissions.  It's a pity
that this arbitrary rule has been expressed, especially given that the
OS doesn't really care.  It handles the ACEs simply in order of
occurance.  There's also no good reason that the GUI wants to reorder,
except that Microsoft didn't implement a GUI which allows manual
ordering of ACEs.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1086 bytes --]

On Apr 14 17:26, Houder wrote:
> >        Everyone:(Rc,S,RA)
> >
> > The only reason I can think of is that the parent dir has default
> > permissions which imply the mask value already.  So, what does
> > `icacls . | cat' in this directory print?
> 
> %% icacls . | cat
> . NULL SID:(DENY)(Rc,S,REA,X,DC)
>   Seven\Test:(F)
>   Seven\None:(RX)
>   Everyone:(RX)
>   NULL SID:(OI)(CI)(IO)(DENY)(Rc,S,REA,X,DC)

As I thought.  There's a mask value already in there which influences
how the default permissions are inherited.  You created this dir with
Cygwin 2.0 already, right?  Remove the masks with

  $ setfacl -d m:,d:m: .

and try again.

>   CREATOR OWNER:(OI)(CI)(IO)(F)
>   CREATOR GROUP:(OI)(CI)(IO)(RX)
>   Everyone:(OI)(CI)(IO)(RX)

This *should* work now.  I fear you have to remove the masks from
all files and dirs created by Cygwin 2.0.  Sorry, but that's what
testing is for ;}


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Achim Gratz]

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> Yes, perfectly normal and that already occured with older ACLs
> created by Cygwin:
> 
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-files
> 
> Don't reorder them.

Ah, OK.  I must have been lucky not to encounter them so far.


Regards,
Achim.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Houder]

> On Apr 14 17:01, Houder wrote:
>> %% uname -a
>> CYGWIN_NT-6.1-WOW Seven 2.0.0(0.287/5/3) 2015-04-14 10:45 i686 Cygwin
>> %% pwd
>> /home/Test
>> %% touch alfa
>> %% chmod 460 alfa
>> %% echo aha > alfa
>> bash: alfa: Permission denied           # no problem here ...
>>
>> %% getfacl alfa
>> # file: alfa
>> # owner: Test
>> # group: None
>> user::r--
>> group::r-x
>> mask:rw-
>> other:---
>> %% icacls alfa
>> alfa NULL SID:(DENY)(Rc,S,WEA,X,DC)
>>      Seven\Test:(DENY)(S,WD,AD,WEA,DC)
>>      Seven\Test:(R,D,WDAC,WO,WA)
>>      Seven\None:(DENY)(S,X)
>>      Seven\None:(RX)
>>      Everyone:(Rc,S,RA)
>>      Successfully processed 1 files; Failed processing 0 files
>> %%
>
> This looks exactly like the ACL created by -0.3.  It produces this MASK
> value.  The rest is just the logical consequence.  But it doesn't do
> that for me:
>
>   $ uname -a
>   CYGWIN_NT-6.3 vmbert8164 2.0.0(0.287/5/3) 2015-04-14 10:47 x86_64 Cygwin
>   $ touch alfa
>   $ getfacl alfa
>   # file: alfa
>   # owner: corinna
>   # group: vinschen
>   user::rw-
>   group::r--
>   other:r--
>
>   $ chmod 460 alfa
>   $ getfacl alfa
>   # file: alfa
>   # owner: corinna
>   # group: vinschen
>   user::r--
>   group::rw-
>   other:---
>
>   $ icacls alfa | cat
>   alfa NULL SID:(DENY)(Rc,S)
>        VINSCHEN\corinna:(DENY)(S,WD,AD,WEA,DC)
>        VINSCHEN\corinna:(R,D,WDAC,WO,WA)
>        VINSCHEN\vinschen:(R,W)
>        Everyone:(Rc,S,RA)
>
> The only reason I can think of is that the parent dir has default
> permissions which imply the mask value already.  So, what does
> `icacls . | cat' in this directory print?

%% icacls . | cat
. NULL SID:(DENY)(Rc,S,REA,X,DC)
  Seven\Test:(F)
  Seven\None:(RX)
  Everyone:(RX)
  NULL SID:(OI)(CI)(IO)(DENY)(Rc,S,REA,X,DC)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  CREATOR GROUP:(OI)(CI)(IO)(RX)
  Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files

>
> Corinna
>
> --
> Corinna Vinschen                  Please, send mails regarding Cygwin to
> Cygwin Maintainer                 cygwin AT cygwin DOT com
> Red Hat
>



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1746 bytes --]

On Apr 14 17:01, Houder wrote:
> %% uname -a
> CYGWIN_NT-6.1-WOW Seven 2.0.0(0.287/5/3) 2015-04-14 10:45 i686 Cygwin
> %% pwd
> /home/Test
> %% touch alfa
> %% chmod 460 alfa
> %% echo aha > alfa
> bash: alfa: Permission denied           # no problem here ...
> 
> %% getfacl alfa
> # file: alfa
> # owner: Test
> # group: None
> user::r--
> group::r-x
> mask:rw-
> other:---
> %% icacls alfa
> alfa NULL SID:(DENY)(Rc,S,WEA,X,DC)
>      Seven\Test:(DENY)(S,WD,AD,WEA,DC)
>      Seven\Test:(R,D,WDAC,WO,WA)
>      Seven\None:(DENY)(S,X)
>      Seven\None:(RX)
>      Everyone:(Rc,S,RA)
>      Successfully processed 1 files; Failed processing 0 files
> %%

This looks exactly like the ACL created by -0.3.  It produces this MASK
value.  The rest is just the logical consequence.  But it doesn't do
that for me:

  $ uname -a
  CYGWIN_NT-6.3 vmbert8164 2.0.0(0.287/5/3) 2015-04-14 10:47 x86_64 Cygwin
  $ touch alfa
  $ getfacl alfa
  # file: alfa
  # owner: corinna
  # group: vinschen
  user::rw-
  group::r--
  other:r--

  $ chmod 460 alfa
  $ getfacl alfa
  # file: alfa
  # owner: corinna
  # group: vinschen
  user::r--
  group::rw-
  other:---

  $ icacls alfa | cat
  alfa NULL SID:(DENY)(Rc,S)
       VINSCHEN\corinna:(DENY)(S,WD,AD,WEA,DC)
       VINSCHEN\corinna:(R,D,WDAC,WO,WA)
       VINSCHEN\vinschen:(R,W)
       Everyone:(Rc,S,RA)
 
The only reason I can think of is that the parent dir has default
permissions which imply the mask value already.  So, what does
`icacls . | cat' in this directory print?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Houder]

> On Apr 14 16:18, Houder wrote:

>> Btw, I installed update 4 to Cygwin 2.0 ... and observe no change in the output
>> of getfacl, icacls ... also user Henri is still denied write access ...
>
> Did you re-create the file?

No ... I created a second file, named alfa ...

Henri

 ++ Cygwin 2.0 -- logged on as user Test

%% uname -a
CYGWIN_NT-6.1-WOW Seven 2.0.0(0.287/5/3) 2015-04-14 10:45 i686 Cygwin
%% pwd
/home/Test
%% touch alfa
%% chmod 460 alfa
%% echo aha > alfa
bash: alfa: Permission denied           # no problem here ...

%% getfacl alfa
# file: alfa
# owner: Test
# group: None
user::r--
group::r-x
mask:rw-
other:---
%% icacls alfa
alfa NULL SID:(DENY)(Rc,S,WEA,X,DC)
     Seven\Test:(DENY)(S,WD,AD,WEA,DC)
     Seven\Test:(R,D,WDAC,WO,WA)
     Seven\None:(DENY)(S,X)
     Seven\None:(RX)
     Everyone:(Rc,S,RA)
     Successfully processed 1 files; Failed processing 0 files
%%

 ++ logoff as Test, logged on as Henri

%% cd ../Test
%% pwd
/home/Test
%% id
uid=197608(Henri) gid=197121(None) groups=197121(None), ...

%% ls -l alfa
-r--rw---- 1 Test None 0 Apr 14 15:28 alfa
%% echo ho,ho > alfa
bash: alfa: Permission denied           # here is my problem <====

%% getfacl alfa
# file: alfa
# owner: Test
# group: None
user::r--
group::r-x
mask:rw-
other:---
%% icacls alfa
alfa NULL SID:(DENY)(Rc,S,WEA,X,DC)
     Seven\Test:(DENY)(S,WD,AD,WEA,DC)
     Seven\Test:(R,D,WDAC,WO,WA)
     Seven\None:(DENY)(S,X)
     Seven\None:(RX)
     Everyone:(Rc,S,RA)
     Successfully processed 1 files; Failed processing 0 files
%%

=====


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 728 bytes --]

On Apr 14 14:27, Achim Gratz wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > I uploaded new snapshots to https://cygwin.com/snapshots/ and I'm just
> > uploading a 2.0.0-0.4 release.
> > 
> > Please give either of them a try.
> 
> Windows Server 2012R2 complains about the ordering of DACL after Cygwin has
> touched them when opening the security tab in explorer.

Yes, perfectly normal and that already occured with older ACLs
created by Cygwin:

https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-files

Don't reorder them.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1891 bytes --]

On Apr 14 16:18, Houder wrote:
> > On Apr 13 18:10, Houder wrote:
> 
> >>  = Cygwin 2.0 -- logged on as user Test
> >>
> >> %% uname -a
> >> CYGWIN_NT-6.1-WOW Seven 2.0.0(0.287/5/3) 2015-04-12 21:09 i686 Cygwin
> >> %% pwd
> >> /home/Test
> >> %% id
> >> uid=197614(Test) gid=197121(None) groups=197121(None), ... followed by irrelevant j.
> >> 545(Users), 4(INTERACTIVE)66049(CONSOLE LOGON),11(Authenticated Users),15(This Organization),113(Local
> >> acount),4095(CurrentSession),
> >> 66048(LOCAL),262154(NTLM Authentication),401408(Medim Mandatory Level)
> >> %% touch file
> >> %% chmod 460 file
> >> %% echo aha > file
> >> bash: file: Permission denied
> >>
> >> %% getfacl file
> >> # file: file
> >> # owner: Test
> >> # group: None
> >> user::r--
> >> group::r-x
> >> mask:rw-
> >
> > Huh?  So it creates a mask even though it only contains standard POSIX
> > permissions.  This explains the "permission denied".  The group r-x
> > combined with a mask rw- results in effective r-- permissions for the
> > group None.  This yet again calls for adding the output of effective
> > permissions to getacl.
> 
> Now I am confused ...
> 
> Permission denied above (logon as user Test) did NOT surprise me ... It was
> the 'write denial' after that (logon as user Henri).

Yes.  That's what I explained.  The user Henri has only access to the
file via the permissions of None or Everyone.  Since the wrongly created
mask only allowed read permissions to group None, Henri has no write
perms.

> Btw, I installed update 4 to Cygwin 2.0 ... and observe no change in the output
> of getfacl, icacls ... also user Henri is still denied write access ...

Did you re-create the file?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Achim Gratz]

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> I uploaded new snapshots to https://cygwin.com/snapshots/ and I'm just
> uploading a 2.0.0-0.4 release.
> 
> Please give either of them a try.

Windows Server 2012R2 complains about the ordering of DACL after Cygwin has
touched them when opening the security tab in explorer.  Specifically it
seems to want any entry for "Everyone" to be at the very end of the list,
rather than after the NULL SID.


Regards,
Achim.



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Houder]

> On Apr 13 18:10, Houder wrote:

>>  = Cygwin 2.0 -- logged on as user Test
>>
>> %% uname -a
>> CYGWIN_NT-6.1-WOW Seven 2.0.0(0.287/5/3) 2015-04-12 21:09 i686 Cygwin
>> %% pwd
>> /home/Test
>> %% id
>> uid=197614(Test) gid=197121(None) groups=197121(None), ... followed by irrelevant j.
>> 545(Users), 4(INTERACTIVE)66049(CONSOLE LOGON),11(Authenticated Users),15(This Organization),113(Local
>> acount),4095(CurrentSession),
>> 66048(LOCAL),262154(NTLM Authentication),401408(Medim Mandatory Level)
>> %% touch file
>> %% chmod 460 file
>> %% echo aha > file
>> bash: file: Permission denied
>>
>> %% getfacl file
>> # file: file
>> # owner: Test
>> # group: None
>> user::r--
>> group::r-x
>> mask:rw-
>
> Huh?  So it creates a mask even though it only contains standard POSIX
> permissions.  This explains the "permission denied".  The group r-x
> combined with a mask rw- results in effective r-- permissions for the
> group None.  This yet again calls for adding the output of effective
> permissions to getacl.

Now I am confused ...

Permission denied above (logon as user Test) did NOT surprise me ... It was
the 'write denial' after that (logon as user Henri).

>> %% id
>> uid=197608(Henri) gid=197121(None) groups=197121(None), ...
>> %% ls -l file
>> -r--rw---- 1 Test None 0 Apr 13 17:12 file
>> %% echo ho,ho > file
>> bash: file: Permission denied                           # Huh? No, no, no ...

User Henri should be able to write the file, should he not? At least, that is
what the output of 'ls' says, and according to what I demanded:

    chmod 460 file

(file is owned by user Test; 'None' is the primary group of user Henri)

Btw, I installed update 4 to Cygwin 2.0 ... and observe no change in the output
of getfacl, icacls ... also user Henri is still denied write access ...

Henri

> I think I fixed the thinko in the code.  At one point I noticed that I
> mishandled the GROUP_OBJ permssions in new-style ACEs and my fix was
> apparently a bit too efficient :}
>
> I uploaded new snapshots to https://cygwin.com/snapshots/ and I'm just
> uploading a 2.0.0-0.4 release.
>
> Please give either of them a try.
>
> Thanks,
> Corinna

=====


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1970 bytes --]

On Apr 13 18:10, Houder wrote:
> Hi Corinna,
> 
> Perhaps not relevant anymore (since you have returned to the drawing board) ...
> 
>  - after installing update 3 to Cygwin 2.0 ...
>  - created file while being logged on as user Test; subsequently executed: chmod 460 file
>  - switched back to user Henri and attempted to touch file: failed
>  - however, using Cygwin 1.7, and repeating the same procedure, I am able to touch the file (called file2)
> 
> Regards,
> 
> Henri
> 
>  = Cygwin 2.0 -- logged on as user Test
> 
> %% uname -a
> CYGWIN_NT-6.1-WOW Seven 2.0.0(0.287/5/3) 2015-04-12 21:09 i686 Cygwin
> %% pwd
> /home/Test
> %% id
> uid=197614(Test) gid=197121(None) groups=197121(None), ... followed by irrelevant j.
> 545(Users), 4(INTERACTIVE)66049(CONSOLE LOGON),11(Authenticated Users),15(This Organization),113(Local
> acount),4095(CurrentSession),
> 66048(LOCAL),262154(NTLM Authentication),401408(Medim Mandatory Level)
> %% touch file
> %% chmod 460 file
> %% echo aha > file
> bash: file: Permission denied
> 
> %% getfacl file
> # file: file
> # owner: Test
> # group: None
> user::r--
> group::r-x
> mask:rw-

Huh?  So it creates a mask even though it only contains standard POSIX
permissions.  This explains the "permission denied".  The group r-x
combined with a mask rw- results in effective r-- permissions for the
group None.  This yet again calls for adding the output of effective
permissions to getacl.

I think I fixed the thinko in the code.  At one point I noticed that I
mishandled the GROUP_OBJ permssions in new-style ACEs and my fix was
apparently a bit too efficient :}

I uploaded new snapshots to https://cygwin.com/snapshots/ and I'm just
uploading a 2.0.0-0.4 release.

Please give either of them a try.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.0.0-3

[Houder]

Hi Corinna,

Perhaps not relevant anymore (since you have returned to the drawing board) ...

 - after installing update 3 to Cygwin 2.0 ...
 - created file while being logged on as user Test; subsequently executed: chmod 460 file
 - switched back to user Henri and attempted to touch file: failed
 - however, using Cygwin 1.7, and repeating the same procedure, I am able to touch the file (called file2)

Regards,

Henri

 = Cygwin 2.0 -- logged on as user Test

%% uname -a
CYGWIN_NT-6.1-WOW Seven 2.0.0(0.287/5/3) 2015-04-12 21:09 i686 Cygwin
%% pwd
/home/Test
%% id
uid=197614(Test) gid=197121(None) groups=197121(None), ... followed by irrelevant j.
545(Users), 4(INTERACTIVE)66049(CONSOLE LOGON),11(Authenticated Users),15(This Organization),113(Local
acount),4095(CurrentSession),
66048(LOCAL),262154(NTLM Authentication),401408(Medim Mandatory Level)
%% touch file
%% chmod 460 file
%% echo aha > file
bash: file: Permission denied

%% getfacl file
# file: file
# owner: Test
# group: None
user::r--
group::r-x
mask:rw-
other:---
%% icacls file # note: here I removed all white clobber in the output
file NULL SID:(DENY)(Rc,S,WEA,X,DC)
Seven\Test:(DENY)(S,WD,AD,WEA,DC)
Sven\Test:(R,D,WDAC,WO,WA)                              # yes, should be Seven\Test ... Oh well
Seven\None:(DENY)(S,X)
Seven\None:(RX)
Evryone:(Rc,S,RA)                                       # yes, should be Everyone ... bzzz
Successfully processed 1 files; Failed processing 0 files
%%

 ++ logoff Test, logon Henri

%% pwd
/home/Henri
%% cd ../Test
%% id
uid=197608(Henri) gid=197121(None) groups=197121(None), ... followed by irrelevant j.
197615(HelpLibraryUpdaters),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated Users),15(This Organization),
113(Local account),4095(CurrentSession),66048(LOCAL),262154(NTLM Authentication),401408(Medium Mandatory Level)
%% ls -l file
-r--rw---- 1 Test None 0 Apr 13 17:12 file
%% echo ho,ho > file
bash: file: Permission denied                           # Huh? No, no, no ...

%% getfacl file # same output as above
%% icacls file # same output as above

-----

 = Cygwin 1.7 -- logged in as user Test

@@ uname -a
CYGWIN_NT-6.1-WOW Seven 1.7.36(0.287/5/3) 2015-03-17 10:46 i686 Cygwin
@@ pwd
/home/Test
@@ id -a
uid=1006(Test) gid=513(None) groups=513(None),545(Users)
@@ touch file2
@@ chmod 460 file2
@@ ls -l file2
-r--rw---- 1 Test None 0 Apr 13 17:30 file2
@@ echo aha > file2
bash: file2: Permission denied

@@ getfacl file2
# file: file2
# owner: Test
# group: None
user::r--
group::rw-
other:---
@@ icacls file2
file2 Seven\Test:(DENY)(S,WD,AD,WEA)
      Seven\Test:(R,D,WDAC,WO,WA)
      Seven\None:(R,W)
      Everyone:(Rc,S,RA)
Successfully processed 1 files; Failed processing 0 files

 ++ logoff Test, logon Henri

@@ pwd
/home/Henri
@@ id -a
uid=1000(Henri) gid=513(None) groups=513(None),1007(HelpLibraryUpdaters),545(Users)
@@ cd ../Test
@@ ls -l file2
-r--rw---- 1 Test None 0 Apr 13 17:30 file2
@@ echo ho,ho > file2                                   # Yes, that is Unixy

@@ getfacl file2 # same output as above
@@ icacls file2 # same output as above

=====


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple