Mail Archives: cygwin/2015/02/26/17:51:46

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2015/02/26/17:51:46

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:to:subject:message-id:reply-to

:references:mime-version:content-type:in-reply-to; q=dns; s=

default; b=romwd8+V6j10auPGbFVkoGwBZB/sHX4aPXoa7x/m7Np09vMBhSyVv

c4XKYkAs9D1iEBjVTHKYLW/sd/3C6Ulm2Tb2YMZKWjBGTN46ywSRijQpO4SfOiTb

+wGpGlRcMKzZY/G34CZsaYIxH/sddrXkj/m/za0ffg63IBRYM3GmZs=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:to:subject:message-id:reply-to

:references:mime-version:content-type:in-reply-to; s=default;

bh=q37bs6gpU1ZfQuvwpcF4d/riW+A=; b=QMAZZ4/U3kw2NtT9Dly4EdYGBIXu

vQserCPJt1vXneC97yyGVp0v+C3Mf9i/ZvdmW1WXgu//IbVtZZks0tIOjxKeSO8b

MBwWjBoFxBjklM65veXT12gpqUa8sj6dGsaXyd6u5tWugcH9p26CJg2Ts9o41yxN

XwsKxoB6/67RLRg=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2

X-HELO: calimero.vinschen.de

Date: Thu, 26 Feb 2015 23:51:26 +0100

From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>

To: cygwin AT cygwin DOT com

Subject: Re: Too Many Permissions Stripped In 1.7.35?

Message-ID: <20150226225126.GE11124@calimero.vinschen.de>

Reply-To: cygwin AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

References: <CADi7v6JajieaQGq3N5LY2Ck2m7SiOTci6au5t7RL4gxZdvBgEw AT mail DOT gmail DOT com> <87twy8cv4k DOT fsf AT Rainer DOT invalid> <20150226202836 DOT GB10024 AT calimero DOT vinschen DOT de> <CADi7v6LLEhH9Dn3X3+W4Fk2=r7brDKuSHoJT3f7P31FX8523fg AT mail DOT gmail DOT com> <20150226205736 DOT GA10870 AT calimero DOT vinschen DOT de> <CADi7v6+u=92JZUjJ85xwuELFDm7-O4i5+Js_aWVV=6F-wHxatQ AT mail DOT gmail DOT com> <20150226222931 DOT GA11124 AT calimero DOT vinschen DOT de>

MIME-Version: 1.0

In-Reply-To: <20150226222931.GA11124@calimero.vinschen.de>

User-Agent: Mutt/1.5.23 (2014-03-12)

--Dzs2zDY0zgkG72+7
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Feb 26 23:29, Corinna Vinschen wrote:
> Having discussed this, I can understand that it may be desirable to
> skip the permissions of the SYSTEM account in these circumstances:
>=20
> - Computing the POSIX ACL mask and default mask value and thus in
>   the permission mask as printed by `ls -l'.

Trying to be more exact:

- Right now, the POSIX ACL mask value includes the permissions of the
  SYSTEM account, if it's in the ACL.  The function collecting the ACL
  entries can easily skip adding the permissions of SYSTEM to the mask
  value.  Thus, the mask value only reflects the permissions of all
  other users and groups, and so ls -l will not show rwx group perms
  only because SYSTEM has rwx perms.  Example:

  Today:

    $ getfacl .ssh/authorized_keys
    # file: authorized_keys
    # owner: corinna
    # group: vinschen
    user::rw-
    group::---
    group:SYSTEM:rwx
    mask:rwx		<=3D !!!!!
    other:---

    [~/.ssh](64)$ ls -l authorized_keys
    -rw-rwx---+ 1 corinna vinschen 1025 Jun 15  2014 authorized_keys
	^^^
	!!!

  With the proposed change:

    # file: authorized_keys
    # owner: corinna
    # group: vinschen
    user::rw-
    group::---
    group:SYSTEM:rwx
    mask:---		<=3D !!!!!
    other:---

    [~/.ssh](64)$ ls -l authorized_keys
    -rw-------+ 1 corinna vinschen 1025 Jun 15  2014 authorized_keys
        ^^^
	!!!

> - Changing SYSTEM permissions when calling chmod, unless SYSTEM is the
>   file's owning group.

  A chmod can easily skip the SYSTEM ACE when applying the group perms
  to all secondary users and groups in the ACL.  So a SYSTEM rwx stays
  rwx.  Unless, of course, SYSTEM is the owning group of the file.
  Example:

  Today:

    $ chmod 600 .ssh/authorized_keys
    $ getfacl .ssh/authorized_keys
    # file: authorized_keys
    # owner: corinna
    # group: vinschen
    user::rw-
    group::---
    group:SYSTEM:---	<=3D !!!!!
    mask:---
    other:---

  With the proposed change:

    $ chmod 600 .ssh/authorized_keys
    $ getfacl .ssh/authorized_keys
    # file: authorized_keys
    # owner: corinna
    # group: vinschen
    user::rw-
    group::---
    group:SYSTEM:rwx	<=3D !!!!!
    mask:---
    other:---

> Changing this in the code is pretty straightforward. but I'm not willing
> to add another mount option for this behaviour.  Either Cygwin ignores
> SYSTEM in the aforementioned circumstances or it doesn't.
>=20
> Crucial vote starting... now.


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--Dzs2zDY0zgkG72+7
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU76NuAAoJEPU2Bp2uRE+gxgwP/30kRj375r6sOb3ikAuODz4B
Xrj4/RVFEfTASHRjSVc6TF+o2x4XmnCeveDA7SxXhMA44GsTNHsC4PI8X/pB7v/4
aNqGSTAP44XH84Q1cHjDwmc+i8vwqe9QWCLn14VeTgm/mVIRT4ZOsF2qzftJE9a2
UIVh1lLKoQDdxcXbf3t2LkcqO2rJBgT32+SFVUJ09hI+u9ddEDmFK52Q/DG6+jJC
A5MVUd5WaMjgcb5kfCldo70Hm9pAhIAeQL/Xc/BJPxXUKkcBBhT5LGEaDH11c2VQ
ABfiN2IAwe2IxLuRad04KD0u298na9mD9Y1+zGdIWEkXW9av669CMoeiyB/wHD4u
6uN6tL+Jb/pHgkfy++dqAEDxalpPmxu8mPXaITxVkZd5HvDmZyu95L8TAnwRNVXC
irr4swr9caoqvAX6ah3vd2TS4AAv/1GosctqH9PaEoP2nHJJmH9sGkZXHz2xKpAo
1eNYehUmXw9Wn33wde6hHh1kw5eUXhVm40Cq/hg7H7zCD2undx8MuK6dwrU24wXv
+NF2VybHPQfYntyf+nJQD3UXowuhb6548pvclaHWWCu5Gohri/v1O87IKSfl1BFU
/6teFa5xvneGr8HeI2r1ITvUB0sbY/z4u855zNU9qipvzbD2OG+64CdrHnYsSwhi
gTAftM5wmfOI2Bd9miUL
=xQGq
-----END PGP SIGNATURE-----

--Dzs2zDY0zgkG72+7--

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=romwd8+V6j10auPGbFVkoGwBZB/sHX4aPXoa7x/m7Np09vMBhSyVv
	c4XKYkAs9D1iEBjVTHKYLW/sd/3C6Ulm2Tb2YMZKWjBGTN46ywSRijQpO4SfOiTb
	+wGpGlRcMKzZY/G34CZsaYIxH/sddrXkj/m/za0ffg63IBRYM3GmZs=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	bh=q37bs6gpU1ZfQuvwpcF4d/riW+A=; b=QMAZZ4/U3kw2NtT9Dly4EdYGBIXu
	vQserCPJt1vXneC97yyGVp0v+C3Mf9i/ZvdmW1WXgu//IbVtZZks0tIOjxKeSO8b
	MBwWjBoFxBjklM65veXT12gpqUa8sj6dGsaXyd6u5tWugcH9p26CJg2Ts9o41yxN
	XwsKxoB6/67RLRg=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2
X-HELO:	calimero.vinschen.de
Date:	Thu, 26 Feb 2015 23:51:26 +0100
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: Too Many Permissions Stripped In 1.7.35?
Message-ID:	<20150226225126.GE11124@calimero.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<CADi7v6JajieaQGq3N5LY2Ck2m7SiOTci6au5t7RL4gxZdvBgEw AT mail DOT gmail DOT com> <87twy8cv4k DOT fsf AT Rainer DOT invalid> <20150226202836 DOT GB10024 AT calimero DOT vinschen DOT de> <CADi7v6LLEhH9Dn3X3+W4Fk2=r7brDKuSHoJT3f7P31FX8523fg AT mail DOT gmail DOT com> <20150226205736 DOT GA10870 AT calimero DOT vinschen DOT de> <CADi7v6+u=92JZUjJ85xwuELFDm7-O4i5+Js_aWVV=6F-wHxatQ AT mail DOT gmail DOT com> <20150226222931 DOT GA11124 AT calimero DOT vinschen DOT de>
MIME-Version:	1.0
In-Reply-To:	<20150226222931.GA11124@calimero.vinschen.de>
User-Agent:	Mutt/1.5.23 (2014-03-12)