From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 17640 invoked by alias); 12 Aug 2014 10:51:34 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 17575 invoked by uid 89); 12 Aug 2014 10:51:28 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.7 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 X-HELO: plane.gmane.org Received: from plane.gmane.org (HELO plane.gmane.org) (80.91.229.3) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-SHA encrypted) ESMTPS; Tue, 12 Aug 2014 10:51:21 +0000 Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1XH9fc-0007zb-MV for cygwin@cygwin.com; Tue, 12 Aug 2014 12:51:12 +0200 Received: from gw1-st.cellent-fs.de ([193.158.59.162]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 12 Aug 2014 12:51:12 +0200 Received: from Kurt-Franke by gw1-st.cellent-fs.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 12 Aug 2014 12:51:12 +0200 To: cygwin@cygwin.com From: Kurt Franke Subject: Re: Security Settings for directories created in Cygwin (+ executable bit on files) Date: Tue, 12 Aug 2014 10:51:00 -0000 Message-ID: References: <86wqajxtm9.fsf@somewhere.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit User-Agent: Loom/3.14 (http://gmane.org/) X-IsSubscribed: yes X-SW-Source: 2014-08/txt/msg00227.txt.bz2 Sebastien Vauban writes: > Currently, whenever I create new files from Windows 8 executables (such > as Notepad), they're often flagged as "executable", even for text files! > > I've noticed that such a behavior happens when I create a new file in > a directory that has been made FROM CYGWIN (`mkdir ~/test/', for > example). > > Indeed, the permissions of CYGWIN-CREATED DIRECTORIES seem very weird: > > - "Inherited from"... "None"! > > - "All Users" having "Read & Execute" permission on "this folder, > subfolders and FILES"... > > IIUC, when creating a new file from Cygwin, the `umask' (022, in my > case) is respected and new files are not executables then, except if > I require it explicitly (via `chmod'). > > Though, when creating a new file from a Windows executable, Windows > inherits permissions from the folder where my file gets created -- > hence, an executable permission if the directory was created from > Cygwin... > > How to correct that? > > Asking Cygwin to stop playing with the Windows ACL, by mounting my > personal directories as "noacl"? Well, that means I won't be able to > use `chmod' anymore, for setting a script file as "executable", then. > And I'll have to use a Windows tool to do so, such as `cacls'. ... Hello, there is a possibility to get bettter permission settings on files created by a windows program inside a directory created by cygwin. you must create special ACE's on this directory like in the following example with german names used in one of my scripts: icacls "$dir" /remove ERSTELLER-BESITZER icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)' icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)' icacls "$dir" /remove ERSTELLERGRUPPE icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)' icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)' icacls "$dir" /remove Jeder icacls "$dir" /grant 'Jeder:(RX)' icacls "$dir" /grant 'Jeder:(OI)(IO)(R)' icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)' It creates different Default ACE's for files an directories and these will be inherited correctly when using non-cygwin-windows programs. For dirctories the execute permission is inherited b ut for files it is not inherited. In cygwin-programs the umask is used and executable flags are not requested for files which are not executables where the compiler wil do this. All works correctly in both windows-only programs and cygwin programs unless creating a subdirectory by cygwin - this will not inherit those special default ACE's to apply only to directories or only to files and thus this behaviour is lost in a subdirectory created via cygwin. On the other hand, in cygwin directory creation simple default ACE's which are to be applied on all directories and files are inhereted to subdirectories. Thus personally I use those special ACE's on directories only in the SVN (windows program) tree created by checkout to avoid execute permissions on files. when creating a new directory there which is generally done via cygwin I add the listed ACE's via script. To have those DEFAULT ACE's of general use for integration of cygwin and windows without always executing a script after creating a new directory in cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in cygwin directory creation also, not onle the simple ones. A drawback for this may be the fact the gefacl/setfacl utilities does not understand those ACE's and thus don't show / don't set it. regards kf -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple