| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:subject:references:date:in-reply-to | |
| :message-id:mime-version:content-type:content-transfer-encoding; | |
| q=dns; s=default; b=q9/ieC4NgEiH59mfJaRpqRVyTFdKpyy3IJG2Af84bXC | |
| 9OOznu2z+rhgPeGnygiguzH/mjjMEDDjC36MgRCjiz9vIWREZU3AbCxY0m50DBwo | |
| YMHFgzpbizol2Upb6zyAEfqtpV2taHNFo/g8mPxOxTLjkIEI8yU1BpLjpF91V7fA | |
| = | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:subject:references:date:in-reply-to | |
| :message-id:mime-version:content-type:content-transfer-encoding; | |
| s=default; bh=x2twO9G0jb4xUELMOEjVJAre4Ho=; b=qmAxlMQCFOrr40mGf | |
| zJxsHIjJ7lNJTbSAjDAq5t8Qoz1Na9zIW2BKFy/5xRD37bIWnZHzssgU954p/GV9 | |
| RPY+3R/rx1QDEiADvqSJOJDEki2eGnZxJKQJxTgzjV6/fmZ4BPX9/m2wIh4Wh60e | |
| GPsXxe0Bwz6bTXRPoHT7ZHZs+s= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-1.5 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 |
| X-HELO: | mail-in-06.arcor-online.net |
| X-DKIM: | Sendmail DKIM Filter v2.8.2 mail-in-04.arcor-online.net 3khc7J4jtHz5FGJ |
| From: | Achim Gratz <Stromeko AT nexgo DOT de> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: group permissions |
| References: | <54D7EB4E DOT 6020105 AT towo DOT net> <20150209091445 DOT GA10457 AT calimero DOT vinschen DOT de> <54D91687 DOT 8090301 AT towo DOT net> <20150210092122 DOT GA15989 AT calimero DOT vinschen DOT de> <54DA5633 DOT 7090900 AT towo DOT net> |
| Date: | Tue, 10 Feb 2015 22:05:00 +0100 |
| In-Reply-To: | <54DA5633.7090900@towo.net> (Thomas Wolff's message of "Tue, 10 Feb 2015 20:04:19 +0100") |
| Message-ID: | <87sied7a0z.fsf@Rainer.invalid> |
| User-Agent: | Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) |
| MIME-Version: | 1.0 |
| X-MIME-Autoconverted: | from quoted-printable to 8bit by delorie.com id t1AL7Pbh014669 |
Thomas Wolff writes: > My preference at this time would be option 2 because it’s easier to > understand than option 3 (and who cares to preserve entries not set by > cygwin but imposed by Windows default ACLs) but maybe option 3 would > be more “correct”. Again, if you want POSIX-only directory trees, remove all inheritable ACL from the top of the tree before populating it: $ cd tree $ setfacl -k . $ setfacl -b . That works without any changes to Cygwins behaviour and (at least if you do the equivalent of those operations with icacls for instance) independently of whether or not you're using the latest Cygwin. Removing the inherited ACL from an existing tree might salvage it as long as all files have been created by Cygwin and no non-inherited ACL have been set deeper down, but you better check the state of things first. Something along the lines of $ find . -print0 | xargs -0 getfacl > /tmp/perms $ edit /tmp/perms $ setfacl -f /tmp/perms ... might be the safest route to accomplish this task, although for some things icacls has some good options (like removing some or all ACL associated with a specific SID recursively). Unfortunately setfacl cannot read the output of getfacl directly as a script, otherwise this would be a doddle, but scripting a bit of a parser around it is quite possible (I haven't needed to do it yet, otherwise I would post it). > Another (or additional) option could be to (optionally?) ignore > Windows directory defaults when creating a new file (and distinguish > them from other default entries that may have been added > explicitly...). That's not how Windows works its file systems and if you rub it the wrong way you can easily make a tree unwriteable, unreadable or both. That's actually one reason we aren't allowed to modify ACL on most our network shares anymore, the IT support staff just got fed up recovering botched ACL all day. Also, there aren't any "Windows directory defaults" that you could distinguish from "other default entries", so that is getting nowhere. > As a combined approach (with your option 2), chmod could modify only > those hidden entries that typically come from Windows defaults (or > those that are parent directory defaults at the time of the chmod), > so chmod would “work again” at least for those users that don’t touch > ACLs themselves. Chmod shouldn't modify any ACL entries, "hidden" or not. It doesn't do that on Linux either, save for the mask bits which likely have been added just for the purpose of keeping the illusion of permission bits intact and that are explicitly for chmod to modify. Since Windows doesn't have mask bits, that functionality simply isn't there. > Most of this doesn’t resolve the issues with applications that choke > on more permissive group permissions than expected (which seems to be > the issues in other threads). The only common case I know of is ssh, and it's a good thing that it complains about other folks being able to read your key files. It's an easy fix as well. > To mitigate this, I would suggest to ignore the (Windows) system > entries (group:SYSTEM, group:Authenticated Users, group:root ?) for > the composition of the visible group flags. If you want to ignore existing ACL then mount the tree "noacl". Partial ignorance is still ignorance and Cygwin shouldn't lie to the user unless it is explicitly asked to do so. I've been running with the AD/ACL enabled snapshots for quite some time now and there hasn't been anything unfixable so far. I still keep some shares mounted with "noacl" since I just can't be bothered to properly deal with them, but so far I haven't run into a real showstopper. Yes it's different than before, but in many ways better. Get used to it some time before you ask for hacks. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Waldorf MIDI Implementation & additional documentation: http://Synth.Stromeko.net/Downloads.html#WaldorfDocs -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright 2019 by DJ Delorie | Updated Jul 2019 |