Mail Archives: cygwin/2015/02/11/15:33:23

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2015/02/11/15:33:23

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:message-id:date:from:mime-version:to:subject

:references:in-reply-to:content-type; q=dns; s=default; b=wz82P6

kSvUL4tbtVVOBk5E88w1AmRDRlGHrczysbMIOp3CwnnCpWCNYDB/a+wauTeIpB9M

xhFiJ2WmCgLpq9pijZMuwc+pYZTz1vqMGAzo1xuA2Ixp04CaS5TFmQifizswpP95

EUX8te2HUj8Q/OPTMlzmIRY8oR1cjV5QVgvxc=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:message-id:date:from:mime-version:to:subject

:references:in-reply-to:content-type; s=default; bh=6TyQBlHtoXJV

YhvkgiFc5lCJFvs=; b=f5M5C5melfpwMJggfPI+u0jFohwrKY2CzkJBSkcB3KTu

byeYn/uim08xJKKIiZMAx9xKlqj1gsELzscAeqOS9sQbve5seVQUrk//sAjEiXFX

+e40oiQ1lUVMkr+ZqoM2+N7YFHmxY0HqW6skbY00qD3hhr6UjTnE5LsGlpVAscQ=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2

X-HELO: mx1.redhat.com

Message-ID: <54DBBB52.8070002@redhat.com>

Date: Wed, 11 Feb 2015 13:28:02 -0700

From: Eric Blake <eblake AT redhat DOT com>

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0

MIME-Version: 1.0

To: cygwin AT cygwin DOT com

Subject: Re: group permissions

References: <54D7EB4E DOT 6020105 AT towo DOT net> <20150209091445 DOT GA10457 AT calimero DOT vinschen DOT de> <54D91687 DOT 8090301 AT towo DOT net> <20150210092122 DOT GA15989 AT calimero DOT vinschen DOT de>

In-Reply-To: <20150210092122.GA15989@calimero.vinschen.de>

OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg

X-IsSubscribed: yes

--vEkjtEXTnWrvtCjgpaAFNl0VVgKohA9aD
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 02/10/2015 02:21 AM, Corinna Vinschen wrote:
> o The other way to emulate writing an ACL_MASK entry would be to drop
>   permissions from all groups and secondary users so they match the
>   desired mask value.  This is secure, but in contrast to the other
>   solution it would change the secondary permissions permanently.
>   Changing the mask back would not change the permissions of the
>   secondary ACL entries back.

Possible enhancement on this idea (I have no clue if it would actually
work, though):

When rewriting ACE entries because of the just-added restrictive
ACL_MASK, put in some marker that mimics the default deny-all action,
then additional entries in the tail of the ACE list that shows the
pre-modified permissions that we just took away due to the mask.  If we
later loosen the mask, we can use the tail of entries to restore
original permissions.  And since the tail occurs after a catch-all deny,
they won't grant permissions in the meantime.  The trick then becomes
telling when we have stuck our marker in place to represent that we have
injected tail entries to reflect the state to restore if ACL_MASK is
relaxed.

>=20
> I'm open to discuss this further.  It needs implementing, of course.

Always the case, and sadly, my lack of experience in this topic is
showing through.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

--vEkjtEXTnWrvtCjgpaAFNl0VVgKohA9aD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJU27tSAAoJEKeha0olJ0NquaMH/1Bl568b9DWbHsQ8SDWnqgIa
jvHC7LGSuEyymtmmPlkKjSMPybpJBUQlOd+ym3EwHHOd+AhFQ/A84q1YRsWm4q+b
wYAJXri6vFKHTxBjwUMx66SFWqlQlssu/3hyEMk3DRMetgeKS4jTDleDRu+N5Rq0
+3nQ5MYZuv24gZOTtjdFfh2wBX5sJTA/RyiALTRxEeYNlGGv7melSkhw2VVIdGIT
1H/Th5d0K63JRLIPwfh3zw59VPfEbX42tudNLnwZmZ2t/3ZISsgOBJQjdYdfTmAR
ZnTbMud3kgxWp24l9zudLN/QIzzN5/cerT1cf8P1kr3l/Xcct5egx7ReAJynpJg=
=rtH7
-----END PGP SIGNATURE-----

--vEkjtEXTnWrvtCjgpaAFNl0VVgKohA9aD--

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; q=dns; s=default; b=wz82P6
	kSvUL4tbtVVOBk5E88w1AmRDRlGHrczysbMIOp3CwnnCpWCNYDB/a+wauTeIpB9M
	xhFiJ2WmCgLpq9pijZMuwc+pYZTz1vqMGAzo1xuA2Ixp04CaS5TFmQifizswpP95
	EUX8te2HUj8Q/OPTMlzmIRY8oR1cjV5QVgvxc=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; s=default; bh=6TyQBlHtoXJV
	YhvkgiFc5lCJFvs=; b=f5M5C5melfpwMJggfPI+u0jFohwrKY2CzkJBSkcB3KTu
	byeYn/uim08xJKKIiZMAx9xKlqj1gsELzscAeqOS9sQbve5seVQUrk//sAjEiXFX
	+e40oiQ1lUVMkr+ZqoM2+N7YFHmxY0HqW6skbY00qD3hhr6UjTnE5LsGlpVAscQ=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-2.0 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO:	mx1.redhat.com
Message-ID:	<54DBBB52.8070002@redhat.com>
Date:	Wed, 11 Feb 2015 13:28:02 -0700
From:	Eric Blake <eblake AT redhat DOT com>
User-Agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Re: group permissions
References:	<54D7EB4E DOT 6020105 AT towo DOT net> <20150209091445 DOT GA10457 AT calimero DOT vinschen DOT de> <54D91687 DOT 8090301 AT towo DOT net> <20150210092122 DOT GA15989 AT calimero DOT vinschen DOT de>
In-Reply-To:	<20150210092122.GA15989@calimero.vinschen.de>
OpenPGP:	url=http://people.redhat.com/eblake/eblake.gpg
X-IsSubscribed:	yes