From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: Duplicate ACLs? - Can't copy file even with Admin permissions
Date: Mon, 10 Jan 2022 14:46:26 +0100 [thread overview]
Message-ID: <Ydw4stFxX+he1A6b@calimero.vinschen.de> (raw)
In-Reply-To: <YdwFc2JA5FfH1Ktr@calimero.vinschen.de>
On Jan 10 11:07, Corinna Vinschen wrote:
> On Jan 7 15:56, cygwin@kosowsky.org wrote:
> > > Corinna Vinschen wrote:
> > > On Jan 6 16:11, cyg...@kosowsky.org wrote:
> > > It is. I realized belatedly, that 3da9e136.acl is apparently a
> > > directory, not a file.
> >
> > It's actually a file...
>
> This is weird. The meaning of the OI and CI markers are "Object
> inheritance" and "Container inheritance". These bits only make sense
> for directories and they control how ACEs are inherited by child objects
> (files) and child containers (subdirs).
>
> Consequentially, if I use `icacls /restore' on a file with the DACL
> saved by you, the OI and CI bits are simply ignored. After /restore,
> if I call /save again the resulting file looks like this:
>
> $ cat aclfile-after-restore.sav
> acltest
> D:PAI(A;;FA;;;SY)(A;;0x1200a9;;;WD)(A;;FA;;;BA)
FTR, it's even worse. Windows ACEs with inheritence flags result in
equivalent POSIX default ACEs. Per Linux (or better, POSIX 1003.1e
draft 17), it's an error trying to set default ACEs on files.
Therefore, a process trying to set the permissions as in your case
would result in getting errno EACCES. Cygwin follows suit.
> However, this gave me a clue. If this is really a file, it's a good
> chance that the inheritance flags are restricted to directories at
> one point in either the Cygwin DLL itself, or the getfacl tool.
>
> I'll have a look into the sources later, but I sure would prefer if
> I could create such a file locally.
I tried to create a file with equivalent ACL including the inheritence
flags on W7, W10 and W11, but to no avail. After running icacls
/restore the resulting DACL does not contain inheritance flags on none
of the systems. Neither do the different Windows GUIs allow setting
inheritance flags on files.
I also ran getfacl under GDB and manipulated getfacl into believing that
a directory with matching ACL is actually a file, but the output generated
by getfacl was not showing the default ACEs at all:
# file: acltest
# owner: Administrators
# group: SYSTEM
user::rwx
group::rwx
other::r-x
¯\_(ツ)_/¯
Corinna
next prev parent reply other threads:[~2022-01-10 13:46 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-03 15:51 cygwin
2022-01-05 11:34 ` Corinna Vinschen
2022-01-06 11:12 ` Achim Gratz
2022-01-06 21:11 ` cygwin
2022-01-07 13:22 ` Corinna Vinschen
2022-01-07 20:56 ` cygwin
2022-01-10 10:07 ` Corinna Vinschen
2022-01-10 13:46 ` Corinna Vinschen [this message]
2022-01-12 9:33 ` Corinna Vinschen
2022-01-19 2:26 ` cygwin
2022-01-19 8:00 ` Corinna Vinschen
2022-01-21 13:57 ` cygwin
2022-01-25 19:19 ` Corinna Vinschen
2022-01-26 1:11 ` cygwin
2022-01-06 18:05 ` Andrey Repin
2022-01-06 19:42 ` Franz Fehringer
2022-01-06 20:35 ` cygwin
2022-01-06 20:46 ` Eliot Moss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ydw4stFxX+he1A6b@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).