RE: Files created in cygwin on fileshare no longer allow "delete" in NTFS

RE: Files created in cygwin on fileshare no longer allow "delete" in NTFS

[Eric Duesterhaus]

Hi Jürgen,

From an NTFS standpoint, the containing directory allows "Modify" level access to the AD group the users are members of.  Effective permissions shows the AD group members can do the following to the containing folder by virtue of being members of this group:

- Traverse folder / execute file
- List Folder /read data
- Read attributes
- Read extended attributes
- Create files /write data
- Create folders / append data
- Write attributes
- Write extended attributes
- Delete
- Read permissions

The following are NOT allowed of the AD group members:
- Full control
- Change Permissions
- Take ownwership

Any file placed in this directory through windows file management inherits the correct permissions.  Files created from within Cygwin, even if I just do a "touch filename" allow the AD group "Read, write & execute" access instead of "Modify" access.  In effective access, the following have check marks for users that are members of the AD group:

- Traverse folder / execute file
- List Folder /read data
- Read attributes
- Read extended attributes
- Create files /write data
- Create folders / append data
- Write attributes
- Write extended attributes
- Read permissions

Note that there are two differences:
1. Delete permission are now missing.
2. Inheritance has been disabled and all permissions that would have been inherited are on the file as explicit permissions, excepting "delete"

Thanks for the help so far!  Hopefully this answered your question.

> Hi Eric,
> what are the permission settings on the containing directory?
>
> Cheers,
> --J.

On 11.12.2017 20:58, Eric Duesterhaus wrote:
> Hi Cygwin Community,
>
> We are currently encountering an issue with Cygwin in regards to NTFS permissions on files created within Cygwin.  I'll try to outline my issue with specifics.
>
> 1.  There is a windows file server mapped to M:\ on the a windows computer running Cygwin.
>
> 2.  There is an active directory group that has "Modify" level permissions  on this file share (In NTFS, Modify includes explicit "delete" rights)
>
> 3.  "User1" and "User2" are both members of the aforementioned AD group.
>
> 4.  A file is created in /cygdrive/m/filepath/ through Cygwin being run as "User1".
>
> 5. "User2" attempts to delete this file.  It does not work (access denied).  
>
> 6. Upon further inspection of this file's ACL, the AD group with Modify level permissions now only has "read, write, execute" permissions, which, using windows "Effective Access" tool shows that the checkbox that assigns "delete" rights is no longer checked for this group.
>
>
> I tried using getfacl on a file with the modify permission allowed to my AD group, then passed that file into setfacl with the -f option to overwrite the ACL of my created file.  From the NTFS point of view, my AD group still only has read/write/execute permissions instead of modify, which again, doesn't allow delete.
>
> For information gathering I use the resultant file from getfacl to setacl -f on a file with "good" NTFS permissions, it overwrites the permissions and again, my AD group only has rwx and not "modify" permissions while looking at the ACL from windows.
>
> How can I retain NTFS "delete" rights for my users and groups on files created by Cygwin?
>  
> Eric 
>
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>

 

-----Original Message-----
From: Eric Duesterhaus 
Sent: Monday, December 11, 2017 1:58 PM
To: 'cygwin@cygwin.com'
Subject: Files created in cygwin on fileshare no longer allow "delete" in NTFS 

Hi Cygwin Community,

We are currently encountering an issue with Cygwin in regards to NTFS permissions on files created within Cygwin.  I'll try to outline my issue with specifics.

1.  There is a windows file server mapped to M:\ on the a windows computer running Cygwin.

2.  There is an active directory group that has "Modify" level permissions  on this file share (In NTFS, Modify includes explicit "delete" rights)

3.  "User1" and "User2" are both members of the aforementioned AD group.

4.  A file is created in /cygdrive/m/filepath/ through Cygwin being run as "User1".

5. "User2" attempts to delete this file.  It does not work (access denied).  

6. Upon further inspection of this file's ACL, the AD group with Modify level permissions now only has "read, write, execute" permissions, which, using windows "Effective Access" tool shows that the checkbox that assigns "delete" rights is no longer checked for this group.


I tried using getfacl on a file with the modify permission allowed to my AD group, then passed that file into setfacl with the -f option to overwrite the ACL of my created file.  From the NTFS point of view, my AD group still only has read/write/execute permissions instead of modify, which again, doesn't allow delete.

For information gathering I use the resultant file from getfacl to setacl -f on a file with "good" NTFS permissions, it overwrites the permissions and again, my AD group only has rwx and not "modify" permissions while looking at the ACL from windows.

How can I retain NTFS "delete" rights for my users and groups on files created by Cygwin?
 
Eric 


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Files created in cygwin on fileshare no longer allow "delete" in NTFS

[Larry Hall (Cygwin)]

On 12/11/2017 05:19 PM, Eric Duesterhaus wrote:
>>> How can I retain NTFS "delete" rights for my users and groups on
>>> files created by Cygwin?

<snip>

> Note that there are two differences:
> 1. Delete permission are now missing.
> 2. Inheritance has been disabled and all permissions that would have
> been  inherited are on the file as explicit permissions, excepting "delete"

You haven't said yet how the M drive is mounted as far as Cygwin is
concerned.  Is it using Cygwin ACLs or not?  It looks to me like it is.
But if that doesn't explain what you're seeing, I would recommend using the
guidelines below with any follow-up to the list so we have some baseline
information and can eliminate anything obvious.

> Problem reports:       http://cygwin.com/problems.html
-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Files created in cygwin on fileshare no longer allow "delete" in NTFS

[Jürgen Wagner]

[-- Attachment #1: Type: text/plain, Size: 2060 bytes --]

Hi Eric,
  what are the permission settings on the containing directory?

Cheers,
--J.

On 11.12.2017 20:58, Eric Duesterhaus wrote:
> Hi Cygwin Community,
>
> We are currently encountering an issue with Cygwin in regards to NTFS permissions on files created within Cygwin.  I'll try to outline my issue with specifics.
>
> 1.  There is a windows file server mapped to M:\ on the a windows computer running Cygwin.
>
> 2.  There is an active directory group that has "Modify" level permissions  on this file share (In NTFS, Modify includes explicit "delete" rights)
>
> 3.  "User1" and "User2" are both members of the aforementioned AD group.
>
> 4.  A file is created in /cygdrive/m/filepath/ through Cygwin being run as "User1".
>
> 5. "User2" attempts to delete this file.  It does not work (access denied).  
>
> 6. Upon further inspection of this file's ACL, the AD group with Modify level permissions now only has "read, write, execute" permissions, which, using windows "Effective Access" tool shows that the checkbox that assigns "delete" rights is no longer checked for this group.
>
>
> I tried using getfacl on a file with the modify permission allowed to my AD group, then passed that file into setfacl with the -f option to overwrite the ACL of my created file.  From the NTFS point of view, my AD group still only has read/write/execute permissions instead of modify, which again, doesn't allow delete.
>
> For information gathering I use the resultant file from getfacl to setacl -f on a file with "good" NTFS permissions, it overwrites the permissions and again, my AD group only has rwx and not "modify" permissions while looking at the ACL from windows.
>
> How can I retain NTFS "delete" rights for my users and groups on files created by Cygwin?
>  
> Eric 
>
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3986 bytes --]

Files created in cygwin on fileshare no longer allow "delete" in NTFS

[Eric Duesterhaus]

Hi Cygwin Community,

We are currently encountering an issue with Cygwin in regards to NTFS permissions on files created within Cygwin.  I'll try to outline my issue with specifics.

1.  There is a windows file server mapped to M:\ on the a windows computer running Cygwin.

2.  There is an active directory group that has "Modify" level permissions  on this file share (In NTFS, Modify includes explicit "delete" rights)

3.  "User1" and "User2" are both members of the aforementioned AD group.

4.  A file is created in /cygdrive/m/filepath/ through Cygwin being run as "User1".

5. "User2" attempts to delete this file.  It does not work (access denied).  

6. Upon further inspection of this file's ACL, the AD group with Modify level permissions now only has "read, write, execute" permissions, which, using windows "Effective Access" tool shows that the checkbox that assigns "delete" rights is no longer checked for this group.


I tried using getfacl on a file with the modify permission allowed to my AD group, then passed that file into setfacl with the -f option to overwrite the ACL of my created file.  From the NTFS point of view, my AD group still only has read/write/execute permissions instead of modify, which again, doesn't allow delete.

For information gathering I use the resultant file from getfacl to setacl -f on a file with "good" NTFS permissions, it overwrites the permissions and again, my AD group only has rwx and not "modify" permissions while looking at the ACL from windows.

How can I retain NTFS "delete" rights for my users and groups on files created by Cygwin?
 
Eric 


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple