delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2008/03/01/16:02:47

X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Message-Id: <200803012102.m21L276p016693@tigris.pounder.sol.net>
To: cygwin AT cygwin DOT com
From: cygzw AT trodman DOT com (Tom Rodman)
Reply-to: cygwin AT cygwin DOT com
Subject: full control for non owner and resulting 'cp' created file perms
Date: Sat, 01 Mar 2008 15:02:07 -0600
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com 

The file "zam" below has slightly unusual windows permissions -
it does not inherit from it's parent dir, the owner of the
file has no ACES, another user "staffuser1" has full control.

  run:

    cp zam zam-cp

  then:

    "staffuser1" can 'cat' zam-cp, but 'cmd /c type zam-cp' fails, is that
    a bug?

    If you look at the rights on zam-cp (search ahead for "dacl zam-cp")
    I do not see how cygwin 'cat' is able to read 'zam-cp' at all,
    which "allow permission" accounts for this?

--
*thanks*,
Tom

# -------------------------------------------------------------------- 
# two examples of puzzling 'cp' behavior, a fairly new cygwin, 
# and an old one  (resulting copy unreadable by 'cmd /c type')
# (shell sessions below both done logged in as "staffuser1")
# -------------------------------------------------------------------- 

  //OurHost_onw/d_drive/aut/cyg/tmp $ uname -a
  CYGWIN_NT-5.1 OurWorkStn00 1.5.24(0.156/4/2) 2007-01-31 10:57 i686 Cygwin
  //OurHost_onw/d_drive/aut/cyg/tmp $ dacl zam
  + setacl -on '\\OurHost_onw\d_drive\aut\cyg\tmp\zam' -ot file -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
  \\?\UNC\OurHost_onw\d_drive\aut\cyg\tmp\zam

     Owner: BUILTIN\Administrators

     Group: DOMxx1\Domain Users

     DACL(not_protected):
     DOMxx1\staffuser1   full   allow   no_inheritance
     NT AUTHORITY\SYSTEM   full   allow   no_inheritance


  SetACL finished successfully.
  + set +x
  //OurHost_onw/d_drive/aut/cyg/tmp $ cp zam zam-cp
  //OurHost_onw/d_drive/aut/cyg/tmp $ md5sum zam zam-cp
  69d61ec73a9426dba64bf17888794b6e *zam
  69d61ec73a9426dba64bf17888794b6e *zam-cp
  //OurHost_onw/d_drive/aut/cyg/tmp $ head -2 zam-cp
  1
  2
  //OurHost_onw/d_drive/aut/cyg/tmp $ cmd /c type zam-cp
  Access is denied.
  //OurHost_onw/d_drive/aut/cyg/tmp $ dacl zam-cp
  + setacl -on '\\OurHost_onw\d_drive\aut\cyg\tmp\zam-cp' -ot file -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
  \\?\UNC\OurHost_onw\d_drive\aut\cyg\tmp\zam-cp

     Owner: BUILTIN\Administrators

     Group: DOMxx1\Domain Users

     DACL(protected):
     BUILTIN\Administrators   FILE_WRITE_EA+FILE_WRITE_ATTRIBUTES+READ_CONTROL+WRITE_OWNER+WRITE_DAC+DELETE   allow   no_inheritance
     DOMxx1\Domain Users   FILE_READ_EA+FILE_READ_ATTRIBUTES+READ_CONTROL   allow   no_inheritance
     Everyone   FILE_READ_EA+FILE_READ_ATTRIBUTES+READ_CONTROL   allow   no_inheritance


  SetACL finished successfully.
  + set +x
  //OurHost_onw/d_drive/aut/cyg/tmp $ 

  --SNIP/switch to another host, same instance of file, older cygwin:

  /tmp $ dacl zam
  + setacl -on 'd:\aut\cyg\tmp\zam' -ot file -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
  \\?\d:\aut\cyg\tmp\zam

     Owner: BUILTIN\Administrators

     Group: DOMxx1\Domain Users

     DACL(not_protected):
     DOMxx1\staffuser1   full   allow   no_inheritance
     NT AUTHORITY\SYSTEM   full   allow   no_inheritance


  SetACL finished successfully.
  + set +x
  /tmp $ head zam
  1
  2
  3
  4
  5
  6
  7
  8
  9
  10
  /tmp $ ls -l zam
  ----------+ 1 Administrators Domain Users 51 Mar  1 13:48 zam
  /tmp $ cp zam zam-cp
  /tmp $ cat zam-cp
  cat: zam-cp: Permission denied
  /tmp $ cmd /c type zam-cp
  Access is denied.
  /tmp $ dacl zam-cp
  + setacl -on 'd:\aut\cyg\tmp\zam-cp' -ot file -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
  \\?\d:\aut\cyg\tmp\zam-cp

     Owner: BUILTIN\Administrators

     Group: DOMxx1\Domain Users

     DACL(protected):
     BUILTIN\Administrators   FILE_WRITE_EA+FILE_WRITE_ATTRIBUTES+READ_CONTROL+WRITE_OWNER+WRITE_DAC+DELETE   allow   no_inheritance
     DOMxx1\Domain Users   FILE_READ_EA+FILE_READ_ATTRIBUTES+READ_CONTROL   allow   no_inheritance
     Everyone   FILE_READ_EA+FILE_READ_ATTRIBUTES+READ_CONTROL   allow   no_inheritance


  SetACL finished successfully.
  + set +x
  /tmp $ chmod +r zam-cp
  /tmp $ head zam-cp
  1
  2
  3
  4
  5
  6
  7
  8
  9
  10
  /tmp $ md5sum zam zam-cp
  69d61ec73a9426dba64bf17888794b6e *zam
  69d61ec73a9426dba64bf17888794b6e *zam-cp
  /tmp $ uname -a
  CYGWIN_NT-5.2 OurHost_onw 1.5.20s(0.155/4/2) 20060403 13:33:45 i686 Cygwin
  /tmp $ --

# -------------------------------------------------------------------- 
# how to create test case perms on file "zam"
# -------------------------------------------------------------------- 

  ME=$(id -un)

  seq 20 > zam
  chgrp "domain users" zam;echo y|cacls zam /g $ME:f system:f
  setacl -on "$(cygpath -aw zam)" -ot file -actn setowner -ownr "n:administrators"

  # setacl available here:
  #   http://sourceforge.net/project/showfiles.php?group_id=69165

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019