| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=sY9D2JRP/TWO+efHVQrDdUR9ZBL2gJblZ/0QsL+qiLWkz07k6uKkF | |
| cz0IWK+1j1tIGF47gQAETnQCkF5WmMQNM7yo7EFo3UNoyoSL0OUv2nhukdnN1SZH | |
| Rp31a9GPgHpmV3pWaJqe30AVOV1RIwZzy9oOdtukogl81ZSECm/S2Q= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=ucv+bDcdpsQB3G/EI0NxYsEMALM=; b=IGc7HsgsH/pHv2hrleYy7p3e1Of0 | |
| Yxt9EBOwDW3WV9NE9qM0Bp385kOe4emUHWOIoN/2WGz+GR3sThvlXEQzJPTR7B4U | |
| oARCZbAUSnCNRTSZj3yuE3PJTXFiq+RXtgDxMNUaGBPqLOwdTPnKv2gfMJ9VW8eT | |
| tD3M6qknKhIEvHg= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-4.4 required=5.0 tests=AWL,BAYES_00,TBC autolearn=no version=3.3.2 |
| X-HELO: | calimero.vinschen.de |
| Date: | Tue, 10 Feb 2015 13:32:31 +0100 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: group permissions |
| Message-ID: | <20150210123231.GC2866@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <54D7EB4E DOT 6020105 AT towo DOT net> <20150209091445 DOT GA10457 AT calimero DOT vinschen DOT de> <54D91687 DOT 8090301 AT towo DOT net> <20150210092122 DOT GA15989 AT calimero DOT vinschen DOT de> <loom DOT 20150210T123910-919 AT post DOT gmane DOT org> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <loom.20150210T123910-919@post.gmane.org> |
| User-Agent: | Mutt/1.5.23 (2014-03-12) |
--nVMJ2NtxeReIH9PS Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Feb 10 11:48, Achim Gratz wrote: > Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes: > > Here's the problem: Windows doesn't support an ACL_MASK entry, nor > > anything even remotely resembling it. >=20 > Right. And pretending that it does is doing more harm than good, IMHO. >=20 > > o The other way to emulate writing an ACL_MASK entry would be to drop > > permissions from all groups and secondary users so they match the > > desired mask value. This is secure, but in contrast to the other > > solution it would change the secondary permissions permanently. > > Changing the mask back would not change the permissions of the > > secondary ACL entries back. >=20 > Please note that that the typical user in a corporate environment has no > rights to do this on network shares and even if (s)he did, it would quite > often break things for other users and is certain to draw the ire of the > share administrators just as if you'd do the same thing via WIndows' own > tools. So please do not do this by default, there are just too many scri= pts > that blindly use some chmod somewhere. >=20 > > o Cygwin could emulate the mask by adding an Access-denied ACE for the > > authenticated user SID (S-1-5-11) right after the primary group entry. > > The permission in this ACE are the x'or value of the permissions > > given in the mask. Such an ACL would basically look like this: >=20 > Same issue as above, except it would be more easily reversible. The permissions to change the ACL are not overly relevant here. The reason is, if the user has no permissions to write the DACL, it won't be able to chmod anyway. So, whatever we do to implement ACL_MASK, it's ok even in a corp env, because the user apparently has the right to change the DACL and thus it doesn't matter. > If anybody feels really strongly about these issues, they can always mount > "noacl". We'll just have to live with how Windows implements ACL otherwi= se. True. Noacl mounts are the way to go in case of what you describe, having no perms to write the DACL, even if the files are owned by the user. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --nVMJ2NtxeReIH9PS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJU2fpeAAoJEPU2Bp2uRE+g298QAIMo8YiZ75KHbV69boHX4Txr QY8fQk1a2Bmf3wwYB95CnxS7nmB8XjOSViWxd1iH7hW7am0hL9jB1egz7ka3W2Qc gokSMNsyRaaH4gqn2LEVHBS1UizRSvsqmgAJjoyTXI3ZqvSQP7qvsnkQn/1+98qy 7h/ZrjAvrg2A/1YHfbCrign5sKRByC1g9nGfyWjqrO0V2N4VTCX5KIlDbGkoTrME N8C8lquo3n8LS4t0rSVTkyPEy4DKEQaCKnxy6Deo/mYqKzdDeXq71hXt35+AW2YA JcTMDmur42O9yBJBy4h95+fBT7p9TPPNJCnpzP0ZRV9fV88SiU2wUUlOogHhh4uy VddcSBGir+FUXPIU5YGKqOji8p2D7xNJ6uMetDcqjfXeuvCobbC1RHAlVSDFPzwp L00Fy/AuhJiTTMVHdxEWjSDoMAmP4aYXSSnH4e54DI893adR1LOImI/PnpEZXrdp yNtSGT8werXCzIWufAX5/dAEZqMdXrh7N4QVBm5s9vnsOJG8maMNi8+zWgY9gsGY aCPZBhJkj1PMeSOzU829uPGShAnksBCC0l2HnOIBfukOAuq1aOF7b26/Y+4iGhAt pHves9sML2Z8SpY/fnRa20WnWd0ztJHBFdRhuXi6yarOyjU4wAcJom2Mp4LkuHP+ VloYjaHFnks2EVEj9cuz =TBGN -----END PGP SIGNATURE----- --nVMJ2NtxeReIH9PS--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |