From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.74]) by sourceware.org (Postfix) with ESMTPS id 463E8393A415 for ; Wed, 12 Jan 2022 09:34:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 463E8393A415 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=cygwin.com Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=cygwin.com Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue108 [212.227.15.183]) with ESMTPSA (Nemesis) id 1M4JiJ-1n7r8D1UR7-000HWx; Wed, 12 Jan 2022 10:34:00 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id BAEA1A806FF; Wed, 12 Jan 2022 10:33:59 +0100 (CET) Date: Wed, 12 Jan 2022 10:33:59 +0100 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: Duplicate ACLs? - Can't copy file even with Admin permissions Message-ID: Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com, cygwin@kosowsky.org References: <25043.7019.643488.389876@consult.pretender> <8735m12k3u.fsf@Rainer.invalid> <25047.23325.33020.646017@consult.pretender> <25048.43238.484068.737126@consult.pretender> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Provags-ID: V03:K1:hhRNQ+heIWHSVgZf/KTZV6PqcR1PpHpodyjb2xMZkTSLAogl7er +XWnDQod8d1p9Q/HJY832moWBI2JuMsk+XwdS4hr/EqT1hXCJ6C1wQ7CCuNuHymgYuW1ewb FDx7uprHQZcIsjbbQ75nBubDJWGft8Gi6g9UCffZn4WIFXNcXnaSLFFkU2W2M7OnTPcbOQL /6zxDta9QwamJaD+0Se1w== X-UI-Out-Filterresults: notjunk:1;V03:K0:3BxGSkbf/y4=:/rb+AD7HTydLvqcnfMaMx1 OzNU7jcfRnJZTEyb65j7d0xAwni/ezPrSk+ik1x4nUBHWQgcFVyGz3rQ/VlUa712+dWMtCRuE GL0SnExgWMLD7h/9jnPkzfcGngpUxbQQTQnUHSpsAcu1tfu8EgT3QylkMnuvstWcjNVnveumS 2kTYHP3Q8Bq6FNzG89JvcmErzGQ2s0SzQJwGDaEL9v3uLAgUFSG+zhaN1+J0jE3wOFuKVV404 1EJm2Kn9LbfJZM4L9qLlMd65u64UBATWgqjpJyMmH4xeaNfxLH2Fq+Qx2y6JQOHBLGCVJfQGU IyLvFpUzzH3JTMP/8RLCH7IT1giMbvaewcMeTGR3Oennebe9fc7m0hDddmPSduSmP6HSjeU80 kOyjNMBnfxypMP96GNvuBY0fSlNpdQnItUxPtTV9IE+macRyvhRCU24AGs0k6TAB3Hdj+qK4N PJbUcteXDQ3I6XdqflJDMELTKyJA2cFetBtM2AMSGfyuWhYDa3tP+LzqVmPQO7GJUXa+S0eOV LrqMEqUaEMesQeIbc3RwK782YL/a4D6SD/FXPrRqcWYM/r0ztxpCgTf24DV7dFNXyI/e4/Gxo VvX52dgBDa0o1svWjauJWhWgq65aYz5V7Abu11Q35Neo3jbxcEqkdieFjzzVx70z681+1VmfE Vh0MaYahp4YRAu4ecD5TtrgpGW+kHQYMIBFmJF7ekpefzQ4wRFVk3E6XX/OU09Q5sgVZWhxr9 hui0atCirOVscwwj X-Spam-Status: No, score=-92.8 required=5.0 tests=BAYES_00, GOOD_FROM_CORINNA_CYGWIN, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL, SPF_FAIL, SPF_HELO_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2022 09:34:05 -0000 On Jan 10 14:46, Corinna Vinschen wrote: > On Jan 10 11:07, Corinna Vinschen wrote: > > On Jan 7 15:56, cyg...@kosowsky.org wrote: > > > > Corinna Vinschen wrote: > > > > On Jan 6 16:11, cyg...@kosowsky.org wrote: > > > > It is. I realized belatedly, that 3da9e136.acl is apparently a > > > > directory, not a file. > > > > > > It's actually a file... > > > > This is weird. The meaning of the OI and CI markers are "Object > > inheritance" and "Container inheritance". These bits only make sense > > for directories and they control how ACEs are inherited by child objects > > (files) and child containers (subdirs). > > [...] > > I'll have a look into the sources later, but I sure would prefer if > > I could create such a file locally. > > I tried to create a file with equivalent ACL including the inheritence > flags on W7, W10 and W11, but to no avail. Success! I hacked a Q&D application which opens a file, reads its security descriptor (SD) and just adds the object and container inherit flags to all its DACL' ACEs and writes the SD back. Albeit Windows tools and some of the security functions under the hood don't allow to add inherit flags to files, some functions just write the SD verbatim without checking. So I was finally able to reproduce your issue: $ ./hackup acltest $ icacls acltest acltest NT AUTHORITY\SYSTEM:(OI)(CI)(F) Everyone:(OI)(CI)(RX) BUILTIN\Administrators:(OI)(CI)(F) Successfully processed 1 files; Failed processing 0 files $ getfacl acltest # file: acltest # owner: Administrators # group: SYSTEM user::rwx group::rwx other::r-x user::rwx group::rwx group:SYSTEM:rwx mask::rwx other::r-x The Cygwin DLL reads the DACL and converts it to a POSIX ACL. An ACE with inherit flags set is converted to a POSIX access ACE and additionally to a POSIX default ACE. The latter is done independently of the file type. The calling function (still in Cygwin) doesn't expect default ACEs for files and treats them as access ACEs. That's what you see in the getfacl output above. I fixed this in Cygwin by ignoring inheritance flags unless the object is a directory, so the core function in Cygwin only creates default ACEs for directories. The result when calling getfacl on such a file is thus: $ getfacl acltest # file: acltest # owner: Administrators # group: SYSTEM user::rwx group::rwx other::r-x I uploaded a developer snapshot to https://cygwin.com/snapshots Please give it a try. Corinna