Mail Archives: cygwin/2015/02/16/08:22:01
| X-Recipient: | archive-cygwin AT delorie DOT com
|
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:message-id:date:subject:from:to:mime-version
|
| :content-type; q=dns; s=default; b=GMe5gfBRlb5VxZM+lq+Tzv5nxonyI
|
| fxAjG2T2A9UgG6lVKSHojvucHE/9NKiT+YBj0k+PTi47xhmOFX4BhEOER4605ALy
|
| 74lFYgRAv5dix0A6v3jXqPF3/38jCbj8q+dWt8Kwi7YaOwcwmC55h+Y8r3gT5u02
|
| ii0PdljLEfiAtA=
|
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:message-id:date:subject:from:to:mime-version
|
| :content-type; s=default; bh=rDJkEZmCQvKOjpFfnTf0hNjrtqo=; b=Rbk
|
| 1oe0vkPnNuQpue6/fxEZV4rRnttZPnZI3xlQAy8vWqjkFSi5BFTEbtG5Rh7rjNKj
|
| gJxnNwDy6hLj4C+jRSM+Lbqop+FO7HSVnKWrzm6cMFDmqnJrtFwBwi9JDriKSmAk
|
| VgCf/tQk+qK/GymBpTBVOjn8Eqt5tRLZGeWpWmNY=
|
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm
|
| List-Id: | <cygwin.cygwin.com>
|
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com>
|
| List-Archive: | <http://sourceware.org/ml/cygwin/>
|
| List-Post: | <mailto:cygwin AT cygwin DOT com>
|
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
|
| Sender: | cygwin-owner AT cygwin DOT com
|
| Mail-Followup-To: | cygwin AT cygwin DOT com
|
| Delivered-To: | mailing list cygwin AT cygwin DOT com
|
| Authentication-Results: | sourceware.org; auth=none
|
| X-Virus-Found: | No
|
| X-Spam-SWARE-Status: | No, score=-0.1 required=5.0 tests=AWL,BAYES_40,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2
|
| X-HELO: | lb2-smtp-cloud2.xs4all.net
|
| Message-ID: | <8c468e18fb38e4fd8e5a5eb5a80470d5.squirrel@webmail.xs4all.nl>
|
| Date: | Mon, 16 Feb 2015 14:21:37 +0100
|
| Subject: | setfacl: root of all evil?
|
| From: | "Houder" <houder AT xs4all DOT nl>
|
| To: | cygwin AT cygwin DOT com
|
| User-Agent: | SquirrelMail/1.4.18
|
| MIME-Version: | 1.0
|
| X-IsSubscribed: | yes
|
------=_20150216142137_53901
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Hi Corinna,
Yes, sorry, setfacl again ...
Now, I am NOT an expert on Windows (I do not want to be), and I realize, that I am in the company
of experts on Windows (on Windows ACL) here, so it is inevitable, that I will be out of my league
below, and speak "errorneously" about Windows ACL.
Nevertheless, the reason for my post is that setfacl FAILS, where chmod SUCCEEDS ...
Over the years (XP) my "Posix" trees (Cygwin) looked like this:
@@ uname -a
CYGWIN_NT-6.1-WOW Seven 1.7.35(0.286/5/3) 2015-02-12 20:59 i686 Cygwin
@@ mkdir T
@@ icacls T @@ getfacl T @@ ls -ld T
T Seven\Henri:(F) # file: T drwxr-xr-x+ 1 Henri None 0 ... T
Seven\None:(RX) # owner: Henri
Everyone:(RX) # group: None
CREATOR OWNER:(OI)(CI)(IO)(F) user::rwx
CREATOR GROUP:(OI)(CI)(IO)(RX) group::r-x
Everyone:(OI)(CI)(IO)(RX) other:r-x
default:user::rwx
default:group::r-x
default:other:r-x
@@ touch T/aap
@@ icacls T/aap @@ getfacl T/aap @@ ls -l T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO) # file: T/aap -rw-r--r-- 1 Henri None 0 ... T/aap
Seven\None:(R) # owner: Henri
Everyone:(R) # group: None
user::rw-
group::r--
other:r--
@@ chmod 755 T/aap
@@ icacls T/aap @@ getfacl T/aap @@ ls -l T/aap
T/aap Seven\Henri:(M,WDAC,WO) # file: T/aap -rwxr-xr-x 1 Henri None 0 ... T/aap
Seven\None:(RX) # owner: Henri
Everyone:(RX) # group: None
user::rwx
group::r-x
other:r-x
This "standard" has served me well ... I did not have to fight with mkdir, chmod, etc ... And the
occasional Windows generated file did not fall "out of tune" too much.
Moreover, after extraction of a .zip file in one of my "Posix" directories, it was fairly easy to
reset the permissions of the extracted files (and directories), using setfacl.
Currently, using this procedure, setfacl fails ...
My investigation into the cause of this failure, eventually led me to simple test cases in which
setfacl fails, but where chmod succeeds.
(more details, if needed, in attached files)
Basically, setfacl removes "write attributes" from the file owner (where chmod does not).
(also: setfacl makes the creator owner loose rights -- in comparison to chmod)
RFC :-)
Henri
----- setfacl/file
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ setfacl -s u::r--,g::r--,o:r-- T/aap
@@ setfacl -s u::rw-,g::r--,o:r-- T/aap
setfacl: Permission denied
@@ chmod 644 T/aap
chmod: changing permissions of ‘T/aap’: Permission denied
@@ touch T/aap
touch: cannot touch ‘T/aap’: Permission denied
@@ rm T/aap
/bin/rm: remove write-protected regular empty file ‘T/aap’? y
@@ ls -l T/aap
ls: cannot access T/aap: No such file or directory
@@
----- chmod/file
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u-w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ touch aap
@@
----- setfacl/directory
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@ chmod 755 T
chmod: changing permissions of ‘T’: Permission denied
@@ rmdir T
@@ ls -ld T
ls: cannot access T: No such file or directory
----- chmod/directory
@@ pwd
/drv/e
@@ mkdir T
@@ chmod u-w T
@@ icacls T
T Seven\Henri:(RX,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T
@@ icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@
=====
------=_20150216142137_53901
Content-Type: text/plain; name="run-setfacl-sucks-file.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="run-setfacl-sucks-file.txt"
setfacl sucks ...
List of commands:
- mkdir T
- touch T/aap
- setfacl -s u::r--,g::r--,o:r-- T/aap ## inadvertently removes "write attributes" from the file owner
- setfacl -s u::rw-,g::r--,o:r-- T/aap # denied
- chmod 644 T/aap # denied ... Euh? Why, why, why ?????
- touch T/aap # denied
- rm T/aap
- ls -l T/aap
Summary: setfacl fails to reinstate 'write access' to file (in contrast to chmod)
Diagnostics: -- request for comments (RFC)
- setfacl should NOT remove "write attributes" from the FILE OWNER (chmod does not)
- chmod u-w <file> ONLY
- removes create file/write data
- removes create folders/append data
- removes write extended attributes from the FILE OWNER
Also applies to setfacl -b
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ setfacl -s u::r--,g::r--,o:r-- T/aap
@@ setfacl -s u::rw-,g::r--,o:r-- T/aap
setfacl: Permission denied
@@ chmod 644 T/aap
chmod: changing permissions of ‘T/aap’: Permission denied
@@ touch T/aap
touch: cannot touch ‘T/aap’: Permission denied
@@ rm T/aap
/bin/rm: remove write-protected regular empty file ‘T/aap’? y
@@ ls -l T/aap
ls: cannot access T/aap: No such file or directory
@@
-----
@@# pwd # bash ELEVATED
/drv/e
@@# mkdir T
@@# touch T/aap
@@# setfacl -s u::r--,g::r--,o:r-- T/aap
@@# icacls T/aap
T/aap Seven\Henri:(R,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@# setfacl -s u::rw-,g::r--,o:r-- T/aap
@@# icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@#
----- same sequence of commands, using icacls to diagnose
@@ pwd
/drv/e
@@ icacls .
. Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
Everyone:(OI)(CI)(IO)(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ mkdir T
@@ icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ touch T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ setfacl -s u::r--,g::r--,o:r-- T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,D,WDAC,WO) # <==== Note: lost W, but failed to get WA in stead (chmod does!)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ setfacl -s u::rw-,g::r--,o:r-- T/aap
setfacl: Permission denied
@@ chmod 644 T/aap
chmod: changing permissions of ‘T/aap’: Permission denied
@@ touch T/aap
touch: cannot touch ‘T/aap’: Permission denied
@@ icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ rm T/aap
/bin/rm: remove write-protected regular empty file ‘T/aap’? y
@@ ls -l T/aap
ls: cannot access T/aap: No such file or directory
@@
----- same sequence of commands, but now using Helge Klein's SetACL to diagnose
- https://helgeklein.com/setacl
@@ pwd
/drv/e
@@ hk-getfacl.sh .
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://.
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
Everyone read_execute allow container_inherit+object_inherit+inherit_only
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@ mkdir T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only
Everyone read_execute allow container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@ touch T/aap
@@ hk-getfacl.sh T/aap
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T/aap
DACL(protected):
Seven\Henri write+read+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance
Seven\None read allow no_inheritance
Everyone read allow no_inheritance
SetACL finished successfully.
@@ setfacl -s u::r--,g::r--,o:r-- T/aap
@@ hk-getfacl.sh T/aap
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T/aap
DACL(protected):
Seven\Henri read+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance
Seven\None read allow no_inheritance
Everyone read allow no_inheritance
Note: Seven\Henri: lost write, but failed to get FILE_WRITE_ATTRIBUTES in stead (chmod does!)
SetACL finished successfully.
@@ setfacl -s u::rw-,g::r--,o:r-- T/aap
setfacl: Permission denied
@@ chmod 644 T/aap
chmod: changing permissions of ‘T/aap’: Permission denied
@@ touch T/aap
touch: cannot touch ‘T/aap’: Permission denied
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only
Everyone read_execute allow container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@ rm T/aap
/bin/rm: remove write-protected regular empty file ‘T/aap’? y
@@ ls -l T/aap
ls: cannot access T/aap: No such file or directory
@@
=====
------=_20150216142137_53901
Content-Type: text/plain; name="run-chmod-rocks-file.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="run-chmod-rocks-file.txt"
chmod rocks!
List of commands:
- mkdir T
- touch T/aap
- chmod u-w T/aap
- chmod u+w T/aap
- touch T/aap
Summary: chmod is able to remove 'write access', and reinstate it subsequently in contrast to setfacl
@@ pwd
/drv/e
@@ mkdir T
@@ touch T/aap
@@ chmod u-w T/aap
@@ chmod u+w T/aap
@@ touch T/aap
----- same sequence of commands
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u-w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ touch aap
@@
----- same sequence of commands, but now using Helge Klein's SetACL to diagnose
- https://helgeklein.com/setacl
@@ pwd
/drv/e
@@ mkdir T
@@ touch T/aap
@@ hk-getfacl.sh T/aap
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T/aap
DACL(protected):
Seven\Henri write+read+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance
Seven\None read allow no_inheritance
Everyone read allow no_inheritance
SetACL finished successfully.
@@ chmod u-w T/aap
@@ hk-getfacl.sh T/aap
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T/aap
DACL(protected):
Seven\Henri read+FILE_WRITE_ATTRIBUTES+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance
Seven\None read allow no_inheritance
Everyone read allow no_inheritance
Note: Seven\Henri: lost write, but got FILE_WRITE_ATTRIBUTES in stead ... (setfacl fails here)
SetACL finished successfully.
@@ chmod u+w T/aap
@@ hk-getfacl.sh T/aap
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T/aap
DACL(protected):
Seven\Henri write+read+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance
Seven\None read allow no_inheritance
Everyone read allow no_inheritance
SetACL finished successfully.
@@ touch T/aap
@@
=====
------=_20150216142137_53901
Content-Type: text/plain; name="run-setfacl-sucks-directory.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="run-setfacl-sucks-directory.txt"
setfacl sucks ...
List of commands:
- mkdir T
- setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T ## inadvertently removes "write attributes" from the file owner
- setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T # denied
- chmod 755 T # denied ... Euh? What?
- rmdir T
- ls -ld T
Summary: setfacl fails to reinstate 'write access' to directory (in contrast to chmod)
Diagnostics: -- request for comments (RFC)
- setfacl should NOT remove "write attributes" from the FILE OWNER (chmod does not)
- chmod u-w <directory> ONLY
- removes create files/ create folders
- removes write data/ append data
- removes write extended attributes
- removes delete subfolders and files from the FILE OWNER
- setfacl should ALSO NOT remove delete, change permissions take ownership from the CREATOR OWNER (chmod does not)
Also applies to setfacl -b (and setfacl -k for the file owner)
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@ chmod 755 T
chmod: changing permissions of ‘T’: Permission denied
@@ rmdir T
@@ ls -ld T
ls: cannot access T: No such file or directory
-----
@@# pwd # bash elevated
/drv/e
@@# mkdir T
@@# icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@# setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@# setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@# icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(RX,W,DC) # <=====
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@#
----- same sequence of commands, using icacls to diagnose
@@ pwd
/drv/e
@@ icacls .
. Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
Everyone:(OI)(CI)(IO)(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ mkdir T
@@ icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ icacls T
T Seven\Henri:(RX,D,WDAC,WO) # <==== Note: lost W, but failed to get WA in stead (chmod does!)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(RX,W,DC)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@
----- same sequence of commands, but now using Helge Klein's SetACL to diagnose
- https://helgeklein.com/setacl
@@ pwd
/drv/e
@@ hk-getfacl.sh .
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://.
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
Everyone read_execute allow container_inherit+object_inherit+inherit_only
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@ mkdir T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only
Everyone read_execute allow container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri read_execute+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER read_execute+write+FILE_DELETE_CHILD allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only
Everyone read_execute allow container_inherit+object_inherit+inherit_only
Note: Seven\Henri: lost write, but failed to get FILE_WRITE_ATTRIBUTES in stead (chmod does!)
SetACL finished successfully.
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@
=====
------=_20150216142137_53901
Content-Type: text/plain; name="run-chmod-rocks-directory.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="run-chmod-rocks-directory.txt"
chmod rocks!
List of commands:
- mkdir T
- chmod u-w T
- chmod u+w T
- touch T/aap
Summary: chmod is able to remove 'write access', and reinstate it subsequently in contrast to setfacl
@@ pwd
/drv/e
@@ mkdir T
@@ chmod u-w T
@@ chmod u+w T
@@ touch T/aap
----- same sequence of commands
@@ pwd
/drv/e
@@ mkdir T
@@ chmod u-w T
@@ icacls T
T Seven\Henri:(RX,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T
@@ icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@
----- same sequence of commands, but now using Helge Klein's SetACL to diagnose
- https://helgeklein.com/setacl
@@ pwd
/drv/e
@@ mkdir T
@@ chmod u-w T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri read_execute+FILE_WRITE_ATTRIBUTES+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only
Everyone read_execute allow container_inherit+object_inherit+inherit_only
Note: Seven\Henri: lost write, but got FILE_WRITE_ATTRIBUTES in stead ... (setfacl fails here)
SetACL finished successfully.
@@ chmod u+w T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only
Everyone read_execute allow container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@
=====
------=_20150216142137_53901
Content-Type: text/plain; charset=us-ascii
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
------=_20150216142137_53901--
- Raw text -