From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <brian.inglis@systematicsw.ab.ca>
Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.138])
 by sourceware.org (Postfix) with ESMTPS id A5E06398EC19
 for <cygwin@cygwin.com>; Sat, 24 Oct 2020 07:35:56 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org A5E06398EC19
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none)
 header.from=SystematicSw.ab.ca
Authentication-Results: sourceware.org;
 spf=none smtp.mailfrom=brian.inglis@systematicsw.ab.ca
Received: from [192.168.1.104] ([24.64.172.44]) by shaw.ca with ESMTP
 id WE5hkpdtIRAWfWE5jkFVex; Sat, 24 Oct 2020 01:35:55 -0600
X-Authority-Analysis: v=2.4 cv=P9aEOgMu c=1 sm=1 tr=0 ts=5f93d95b
 a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17
 a=IkcTkHD0fZMA:10 a=uYT-Tk0qkVT609LjNaIA:9 a=QEXdDO2ut3YA:10
Reply-To: cygwin@cygwin.com
Subject: Re: Fwd: Objects in ACL cygwin win 10
To: cygwin@cygwin.com
References: <CAEMWCRsuDarNBBTOeB29fibz=Jt6zAg-brv_aejEQc7rOSeS2Q@mail.gmail.com>
 <3f0e071c-66c7-b6e8-f907-40a333872d07@SystematicSw.ab.ca>
 <CAEMWCRv-MeG88TbivmVFjFL10VpiQqWt7nq5zJ5KfQGho_puyg@mail.gmail.com>
 <9c03f3ea-8989-5f93-41c4-4d832eaef94c@cs.umass.edu>
 <CAEMWCRvrVGvfX_3yP7XF6SmNtFXd9UwQVahq1bRL1tazBbCibg@mail.gmail.com>
 <CAEMWCRvNZkheRisrzx9v_fS3dphE0TzjMvFULYfWxD-RVGBwfw@mail.gmail.com>
 <83773bf8-4ec6-d2ed-b2ba-37e64cc7dcc0@SystematicSw.ab.ca>
 <CAEMWCRtTYxhdFdPh9aQqrPU+o-4OoBzc_E6=gVOtYKK-OhkaRQ@mail.gmail.com>
 <CAEMWCRueL6mjMLYgbisUkiHOhoOjOateLscyt6LPkbJ0J-rS-w@mail.gmail.com>
From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
Autocrypt: addr=Brian.Inglis@SystematicSw.ab.ca; prefer-encrypt=mutual;
 keydata=
 mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0
 LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA
 PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW
 AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO
 WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB
 BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5
 /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF
 IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5
 RSyTY8X+AQ==
Organization: Systematic Software
Message-ID: <fb5ce8fd-9a8d-4928-fa1c-a85606467ee3@SystematicSw.ab.ca>
Date: Sat, 24 Oct 2020 01:35:53 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <CAEMWCRueL6mjMLYgbisUkiHOhoOjOateLscyt6LPkbJ0J-rS-w@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-CA
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4xfNxlRhYVoCOxbfwKTZrSorTaRHtHlEpGDhb/e5NZlJSAir8TEG3/aLvf0smig5PmO150zIOvkuiCZu3sWvCYC5svu4OKTvd8sKBAxq1v7uaFuYC5YCE2
 FRYJna9xe1bTfghU6r5q+PmMZNHo8A1Rivubsa4+etPb9TyRG2zmlMeVRw6YuhfoKla3hJ68HjTSNLU7UP7TsE+8taWxeU1EydY=
X-Spam-Status: No, score=-6.3 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
 KAM_LAZY_DOMAIN_SECURITY, KAM_NUMSUBJECT, NICE_REPLY_A, RCVD_IN_DNSWL_LOW,
 SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
X-List-Received-Date: Sat, 24 Oct 2020 07:35:58 -0000


On 2020-10-24 01:09, Jim McNamara via Cygwin wrote:
> On Sat, Oct 24, 2020, 3:02 AM Jim McNamara wrote:
>> On Sat, Oct 24, 2020, 12:46 AM Brian Inglis wrote:
>>> On 2020-10-23 21:49, Jim McNamara via Cygwin wrote:
>>>> On Fri, Oct 23, 2020, 10:06 PM Eliot Moss wrote:

>>>>> I have to admit I am not 100% sure what you are asking, but I am 
>>>>> careful to grant SYSTEM access so that my backup program can access
>>>>> and save a copy of virtually everything

>>>> Thanks for you and Brian helping me.
>>>> I used icacls cygwin /q /c /t reset

>>> You have to be very careful using icacls and other Windows commands with
>>> Cygwin
>>> ACLs as
>>>
>>> "ICACLS preserves the canonical ordering of ACE entries:
>>>         Explicit denials
>>>         Explicit grants
>>>         Inherited denials
>>>         Inherited grants"
>>>
>>> and Cygwin's POSIX ACLs may or may not obey this canonical order; Windows
>>> File
>>> Explorer often does not consider Cygwin ACLs in what it considers
>>> canonical
>>> order and requires them to be reordered, which breaks the Cygwin
>>> permissions.
>>>
>>> Ah, that "NT AUTHORITY/SYSTEM" SID, normally paired with
>>> BUILTIN/Administrators,
>>> as users, groups, or both:
>>>
>>> $ ls -dl /proc/cygdrive/c/Users/; echo; getfacl /proc/cygdrive/c/Users/;
>>> echo;
>>> icacls C:/Users/
>>> drwxr-xr-x+ 1 SYSTEM SYSTEM 0 Apr 13  2020 /proc/cygdrive/c/Users/
>>>
>>> # file: /proc/cygdrive/c/Users/
>>> # owner: SYSTEM
>>> # group: SYSTEM
>>> user::rwx
>>> group::r-x
>>> group:Administrators:rwx        #effective:r-x
>>> group:Users:r-x
>>> mask::r-x
>>> other::r-x
>>> default:user::rwx
>>> default:group::---
>>> default:group:Administrators:rwx        #effective:r-x
>>> default:group:Users:r-x
>>> default:mask::r-x
>>> default:other::r-x
>>>
>>> C:/Users/ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
>>>           BUILTIN\Administrators:(OI)(CI)(F)
>>>           BUILTIN\Users:(RX)
>>>           BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
>>>           Everyone:(RX)
>>>           Everyone:(OI)(CI)(IO)(GR,GE)
>>>
>>> Successfully processed 1 files; Failed processing 0 files

>> Yes, I see now what you are saying. Didn't know why it behaves like that.
>> Do you reccomend:
>>
>> A. Noacl option  in fstab
>> B. Reinstall and leave icacls in windows alone so I can deploy in future
>> with runtime

> I decided to go with b. since windows ntfs wont recognize a and I want to
> deploy. I'm using cygwin to make agar gui apps for cobol (at least that is
> the plan).

That's normally the best way, although it may also be okay to add ACEs with
permission grants to groups as normal, or equivalents via GPOs.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]