From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2155) id 095F43858D1E; Mon, 18 Mar 2024 10:41:45 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 095F43858D1E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1710758506; bh=Pe8T5FbfC8zW16e2844wClZRgLwqq98Uu3fOlBz+eTs=; h=Date:From:To:Subject:Reply-To:References:In-Reply-To:From; b=BO+vXsC445JdN6fJtSh4ofyIsb02N+37aMBrwgQygR1YuIF6Gq8GwqND/g8jRSybS XbWsbVOY6PX+60u3awDvDPqQ8QTqY/DXd8A/9W+sy/mhU2ddyqzt8LXL3PNGHY8gqK Mk75YLsHOoXFbWxCPJ+spjCeWoIMwCq0XYazQlm8= Received: by calimero.vinschen.de (Postfix, from userid 500) id 30890A80BFE; Mon, 18 Mar 2024 11:41:44 +0100 (CET) Date: Mon, 18 Mar 2024 11:41:44 +0100 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: ACEs and ACLs Message-ID: Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <9bec816c-66ea-49cb-baaa-47137fa2938f@GMail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <9bec816c-66ea-49cb-baaa-47137fa2938f@GMail.com> List-Id: On Mar 16 18:05, J. Terry Corbet via Cygwin wrote: > [...] > And here is the status that icacls reports back on the original, owning > workstation > after having use vim to modify the two files from that remote workstation. > > FileExp.txt NULL SID:(DENY)(Rc,S,REA,WEA,X,DC) >             NW10\tcorbet:(DENY)(S,RD,WD,AD,REA,WEA,X,DC) >             NW10\tcorbet:(D,Rc,WDAC,WO,RA,WA) >             NW10\None:(Rc,S,RA) >             NT AUTHORITY\Authenticated Users:(RX,W) >             NT AUTHORITY\SYSTEM:(RX,W) >             BUILTIN\Administrators:(RX,W) >             BUILTIN\Users:(RX) >             Everyone:(Rc,S,RA) > > vimtest.txt NULL SID:(DENY)(Rc,S,WEA,X,DC) >             NW10\tcorbet:(R,W,D,WDAC,WO) >             NW10\None:(DENY)(S,X) >             NT AUTHORITY\Authenticated Users:(DENY)(S,X) >             NT AUTHORITY\SYSTEM:(DENY)(S,X) >             BUILTIN\Administrators:(DENY)(S,X) >             BUILTIN\Users:(DENY)(S,X) >             NW10\None:(RX) >             NT AUTHORITY\Authenticated Users:(RX,W) >             NT AUTHORITY\SYSTEM:(RX,W) >             BUILTIN\Administrators:(RX,W) >             BUILTIN\Users:(RX) >             Everyone:(R) > > If my understanding is correct concerning the precedence handling of an > ACL with multiple ACEs for the same user/ID, this result from grep > on the original, owning workstation would not surprise you: > > F:\Dev\cygshoot>grep foo fileexp.txt > grep: fileexp.txt: Permission denied > > but it blows me completely away.  Clearly I no longer have an environment > in which I can work on any file from any workstation using any Cygwin > utilities. > > What have I messed up? The problem is that your identity is based on the SID of every single machine, and the machines don't know the SIDs of other machines. The default ACL created in Cygwin is emulating POSIX permissions. This becomes a problem when sharing files between machines not in the same Windows domain. The workaround is not to use POSIX permissions on shares. Create matching mount points in /etc/fstab or /etc/fstab.d/ and add the "noacl" mount flag: https://cygwin.com/cygwin-ug-net/using.html#mount-table Alternatively, you can also just add an fstab entry for the cygdrive prefix which adds the "noacl" flag, see https://cygwin.com/cygwin-ug-net/using.html#cygdrive but keep in mind that this also affects local paths if you access them via the cygdrive prefix. HTH, Corinna