| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:reply-to:message-id:to:subject | |
| :in-reply-to:references:mime-version:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=uKlP0MAC0n8RQScq | |
| iJA5D1zPrf2rHuvLzOjsAfp9nvkd83LbXx9kSgAt3oswsq+KmVM2RZbgboknd+s/ | |
| 2+bKi/ezGFi7dngKcVz/BomAbFnVHopn9mc5HlIQKuGaoe99hUsvlEvN6xnouvg2 | |
| AAQnkM0fhpsY546o7cZ7ddlbxSo= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:reply-to:message-id:to:subject | |
| :in-reply-to:references:mime-version:content-type | |
| :content-transfer-encoding; s=default; bh=N0pZUIhgfgkXVbsKgwf5Ky | |
| cyln0=; b=uqGG7CDnEaukSKLVgJ6oOYnvDM6L1muvDFKNqs2amd7jg+82QXBZdG | |
| 5QDuQxIANzMFiYcT13Wmz0ntQjgjlEaijFpekMZgxPokf9Md3IbhMLAaRx06YbRi | |
| 0AOeFKyExFk+w/BRI8abkztd3K4uSOxOn2kPWYtFYjHNcfYl28zUA= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=1.7 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_BODY_URIBL_PCCC,KAM_FROM_URIBL_PCCC,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 |
| X-HELO: | smtp.ht-systems.ru |
| Date: | Fri, 27 Feb 2015 04:43:27 +0300 |
| From: | Andrey Repin <anrdaemon AT yandex DOT ru> |
| Reply-To: | cygwin AT cygwin DOT com |
| Message-ID: | <1184688506.20150227044327@yandex.ru> |
| To: | Corinna Vinschen <cygwin AT cygwin DOT com>, cygwin AT cygwin DOT com |
| Subject: | Re: Too Many Permissions Stripped In 1.7.35? |
| In-Reply-To: | <20150226225126.GE11124@calimero.vinschen.de> |
| References: | <CADi7v6JajieaQGq3N5LY2Ck2m7SiOTci6au5t7RL4gxZdvBgEw AT mail DOT gmail DOT com> <87twy8cv4k DOT fsf AT Rainer DOT invalid> <20150226202836 DOT GB10024 AT calimero DOT vinschen DOT de> <CADi7v6LLEhH9Dn3X3+W4Fk2=r7brDKuSHoJT3f7P31FX8523fg AT mail DOT gmail DOT com> <20150226205736 DOT GA10870 AT calimero DOT vinschen DOT de> <CADi7v6+u=92JZUjJ85xwuELFDm7-O4i5+Js_aWVV=6F-wHxatQ AT mail DOT gmail DOT com> <20150226222931 DOT GA11124 AT calimero DOT vinschen DOT de> <20150226225126 DOT GE11124 AT calimero DOT vinschen DOT de> |
| MIME-Version: | 1.0 |
| X-IsSubscribed: | yes |
Greetings, Corinna Vinschen! >> Having discussed this, I can understand that it may be desirable to >> skip the permissions of the SYSTEM account in these circumstances: >> >> - Computing the POSIX ACL mask and default mask value and thus in >> the permission mask as printed by `ls -l'. SYSTEM is Windows equivalent of 'root' account. While in Linux root have implicit rights, this is not true for Windows. You have to, either, explicitly grant access rights for SYSTEM, or, again, explicitly grant SeBackup/Restore privilege to relevant user. Said that, SYSTEM account should be treated as implicit and ignored, unless directly mentioned as file owner, as you suggested. > Trying to be more exact: > - Right now, the POSIX ACL mask value includes the permissions of the > SYSTEM account, if it's in the ACL. The function collecting the ACL > entries can easily skip adding the permissions of SYSTEM to the mask > value. Thus, the mask value only reflects the permissions of all > other users and groups, and so ls -l will not show rwx group perms > only because SYSTEM has rwx perms. Example: > Today: > $ getfacl .ssh/authorized_keys > # file: authorized_keys > # owner: corinna > # group: vinschen > user::rw- > group::--- > group:SYSTEM:rwx > mask:rwx <= !!!!! > other:--- > [~/.ssh](64)$ ls -l authorized_keys > -rw-rwx---+ 1 corinna vinschen 1025 Jun 15 2014 authorized_keys > ^^^ > !!! > With the proposed change: > # file: authorized_keys > # owner: corinna > # group: vinschen > user::rw- > group::--- > group:SYSTEM:rwx > mask:--- <= !!!!! > other:--- > [~/.ssh](64)$ ls -l authorized_keys > -rw-------+ 1 corinna vinschen 1025 Jun 15 2014 authorized_keys > ^^^ > !!! >> - Changing SYSTEM permissions when calling chmod, unless SYSTEM is the >> file's owning group. > A chmod can easily skip the SYSTEM ACE when applying the group perms > to all secondary users and groups in the ACL. So a SYSTEM rwx stays > rwx. Unless, of course, SYSTEM is the owning group of the file. > Example: > Today: > $ chmod 600 .ssh/authorized_keys > $ getfacl .ssh/authorized_keys > # file: authorized_keys > # owner: corinna > # group: vinschen > user::rw- > group::--- > group:SYSTEM:--- <= !!!!! > mask:--- > other:--- > With the proposed change: > $ chmod 600 .ssh/authorized_keys > $ getfacl .ssh/authorized_keys > # file: authorized_keys > # owner: corinna > # group: vinschen > user::rw- > group::--- > group:SYSTEM:rwx <= !!!!! > mask:--- > other:--- >> Changing this in the code is pretty straightforward. but I'm not willing >> to add another mount option for this behaviour. Either Cygwin ignores >> SYSTEM in the aforementioned circumstances or it doesn't. >> >> Crucial vote starting... now. -- WBR, Andrey Repin (anrdaemon AT yandex DOT ru) 27.02.2015, <04:38> Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |