Mail Archives: cygwin/2004/08/11/04:21:46
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Larry Hall wrote:
> Fish wrote:
<snip>
> > Could some kind soul out there help me to understand why
> > *SOME* type of "public" permissions set is [apparently]
> > required by Cygwin? (*nix?)
> >
> > Thanks.
>
>
> I thought Pierre did a rather good (good? I mean excellent!
> ;-) ) job of explaining the issue with his last email to you
> on this subject:
>
> <http://cygwin.com/ml/cygwin/2004-08/msg00280.html>
Hmmm... I seemed to have missed that post. Thanks!
(And Thank YOU Pierre! Sorry I missed your reply. Must have been the
change in the subject line and me not watching things closely enough.
My apologies.)
> The key part is that 'setup.exe' is not a Cygwin program
> (it can't be) so it's largely bound by Windows security
> semantics. These don't map well into the Cygwin emulation
> of POSIX permissions. So, if neither you, nor standard groups,
> nor "Everyone" owns the file, there will be a mismatch
> of the permissions on the files and directories in the
> Windows view (ACLs) and the POSIX view (owner, group, world).
I guess that make sense.
> As Pierre pointed out, POSIX tools like 'cp' only operate on
> POSIX permissions. If those are '---------', then you get no
> permissions on that copied file.
Yep. That's what was happening. I manually tried to 'cp' the files
just like the postinstall scripts were doing and sure enough I got a
file with no permissions. :)
> So one solution is to do what you did. Make sure that
> 'Everyone' owns the files in the Windows ACL.
Well, not "owns", but I get the drift. :)
> You do that by creating the directory you want to install
> Cygwin to and setting the permissions, via Windows, before
> Cygwin installation, making sure to set the permissions so
> they are inherited.
Ah. Then if I understand things correctly, I could probably remove
the "Everyone" group from everywhere (i.e. from all partitions (root
[drive] folders), just like I had it before) and just have on the
*Cygwin* directory *only*, right? Makes sense. Don't know why I
didn't think of it before. (Hind sight is always 20-20, eh?)
> For the case of 'Everyone', that maps to the 'world'.
Figured that. :)
> Another alternative is to create a CYGWIN environment
> variable with 'nontsec' set before installation. That will
> make Cygwin use Windows ACLs, following those rules
> exclusively.
THAT sounds more like what I think I might want. I don't think I
really need to have my Cygwin environment mimic the POSIX permissions
so closely IMO. (At least I don't think so anyway) The way Windoze is
doing/handling it is just fine, so 'nontsec' *sounds* like something
I should definitely investigate. Thanks.
> If you're still having trouble understanding what's going on here,
> I suggest you read the NT security chapter of the User's Guide:
>
> <http://cygwin.com/cygwin-ug-net/ntsec.html>
Cool. Thanks. I'll read through that when I get a chance. (It's late
right now though so I'll save it for tomorrow)
> If you read it already, read it again.
:)
> I'm serious.
I'm sure you are. The GUI presentation of Windows' permissions is,
more or less, relatively straightforward (or at least straightforward
enough that I *think* I can pretty much understand what permissions I
should probably set/use anyway), but how it actually *works* (i.e.
what goes on behind the scenes) tends to give me a headache whenever
I read about it. (Windows permissions is one area where I'm still not
"up to speed" on yet)
> This is complicated stuff giving the partial mapping of ACLs to
> POSIX permissions.
No sh*t! :)
> It takes some real thought to understand it all and it's
> limitations. Reading this more than once can make things click
> where they didn't before. When you get so you understand it, feel
> free to offer patches to make Cygwin and 'setup.exe' better in this
> area. You can save the next person who has tight permissions some
> trouble. :-)
Will do. :)
(But don't hold your breath waiting)
;-)
Thanks you guys.
(And again sorry for missing your reply Pierre)
- --
"Fish" (David B. Trout)
fish AT infidels DOT org
Fight Spam! Join CAUCE!
http://www.cauce.org/
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQA/AwUBQRnXAEj11/TE7j4qEQK73gCeMYZHoIFKRIWSIlCHmDJu3lEIrDIAoLb5
cKJ/J6RBmm5LOlTDsrMd8x9a
=Pt6H
-----END PGP SIGNATURE-----
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -