Mail Archives: cygwin/2015/02/27/08:58:07

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2015/02/27/08:58:07

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:to:cc:subject:message-id:reply-to

:references:mime-version:content-type:in-reply-to; q=dns; s=

default; b=hs1wv7EFRI5r4c0tr1JylDjn4L/Mxrut0zBTNQFBUuzM2t7e6uSYr

vzX0OTBFjCInN1zk6Ijo1kmpREqx4T1rI+ARAIbnuQEA6ThdSlEnx7v+tGaGslBy

Wscu0sHZO9xNipnNMCHb/aPLGgnHHqJbFTr9HjkJifB0HT//9iJ9ZM=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:to:cc:subject:message-id:reply-to

:references:mime-version:content-type:in-reply-to; s=default;

bh=EujlKUTgk90WGpyACXITJ2ykS+g=; b=KzOMWg1nxxzJxeE44R0RYE1ch5kz

izl9MiIqZ3N9HtDcy2eQDZdy2bnxb/GEk+rh7QEngNao8V4ivlhXuw57cRZOXn2/

Dy3LgkEDGMr8YDDOWn8NUAEcYz0sTJfp48SG3BpiRL8OCQDEJ6PxZkDBKFR87Uqw

nvhKB4hH2PNS0VU=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2

X-HELO: calimero.vinschen.de

Date: Fri, 27 Feb 2015 14:57:43 +0100

From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>

To: cygwin AT cygwin DOT com

Cc: Warren Young <wyml AT etr-usa DOT com>

Subject: Re: Too Many Permissions Stripped In 1.7.35?

Message-ID: <20150227135743.GN11124@calimero.vinschen.de>

Reply-To: cygwin AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com, Warren Young <wyml AT etr-usa DOT com>

References: <54F00036 DOT 8050509 AT gmail DOT com> <20150227091711 DOT GJ11124 AT calimero DOT vinschen DOT de> <loom DOT 20150227T105254-353 AT post DOT gmane DOT org> <20150227121958 DOT GL11124 AT calimero DOT vinschen DOT de>

MIME-Version: 1.0

In-Reply-To: <20150227121958.GL11124@calimero.vinschen.de>

User-Agent: Mutt/1.5.23 (2014-03-12)

Note-from-DJ: This may be spam

--wmhq21yAGFMoSpeN
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Feb 27 13:19, Corinna Vinschen wrote:
> On Feb 27 09:57, Achim Gratz wrote:
> > Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > > Good point.  Right now the group permissions are =3D=3D owner permiss=
ions in
> > > the case the owner and group are the same.  Maybe it would be better =
to
> > > remove all group permission bits if owner SID =3D=3D group SID instea=
d.=20
> >=20
> > I think that would be defendable since it is purely based on how Window=
s and
> > POSIX treat groups and users in different ways and not an artificial
> > exception that Cygwin makes on top of that.
>=20
> Come to think of it, this would also drop the requirement to enforce
> primary group "Users" for the so-called "Microsoft Accounts", which have
> their own SID as group SID in the user token by default.
>=20
> Hmm, I'm really warming up to this change...

Done.  I uploaded a snapshot and I'm contemplating to create a test
release for this change.

Warren, you're the unlucky guy of the day.  From our discussions in
the last days I know you're using a Microsoft account.  Can you please
give the latest snapshot from https://cygwin.com/snapshots/ a try?

When using it, you should now see your account also as group.  Creating
files should result in having user and group being the same, and if you
chmod the file, the group permissions should not reflect the user
permissions anymore:

  $ chmod 600 xxx
  $ ls -l xxx
  -rw------- 1 corinna corinna 0 Feb 27 10:40 xxx
  $ chmod 660 xxx
  $ ls -l xxx
  -rw------- 1 corinna corinna 0 Feb 27 10:40 xxx

Trip hazard 1:

  $ chmod 250 xxx
  $ ls -l xxx
  -rwx------ 1 corinna corinna 0 Feb 27 10:40 xxx

  The new permissions for your account are the sum of permissions you
  gave yourself as user and group:
=20=20
    user 2 =3D=3D -w-
    group 5 =3D=3D r-x
    =3D=3D> combined 7 =3D=3D rwx

Trip hazard 2:

  $ chmod 644 xxx
  $ ls -l xxx
  -rw-r--r-- 1 corinna corinna 0 Feb 27 10:40 xxx

  Funny, isn't it?  The group permissions are different from the user
  permissions even though both are the same account.  These are the
  "Everyone" permissions which penetrate into the group permissions due
  to the way the Windows ACL is evaluated:

  $ icacls xxx
  xxx VINSCHEN\corinna:(R,W,D,WDAC,WO)
      Everyone:(R)

  I didn't change that because it doesn't hurt.  The case has altered
  (sorry the pun) if "other" has permissions the owner doesn't have:

  $ chmod 601 xxx
  $ ls -l xxx
  -rw------x 1 corinna corinna 0 Feb 27 10:40 xxx
  $ icacls xxx
  xxx VINSCHEN\corinna:(DENY)(S,X)
      VINSCHEN\corinna:(R,W,D,WDAC,WO)
      Everyone:(Rc,S,X,RA)


I think that's really a good change.  It should help in security
conscious scenarios a lot.  It *may* break other scenarios, but
that should be rather unlikely or easy to fix.

Thanks for the idea "random user".  A name would be nice, though...


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--wmhq21yAGFMoSpeN
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU8HfXAAoJEPU2Bp2uRE+gEWgP/jaWxjgF0aGvL+syKwF1rm5R
zyRHiKD5NoIzipgfSyQHeMxK48LpIGBkGEDS5k+SdqTFAk08EcTfaSuDWq8OKvdp
9enMQuV3k4mWHFUxFOHLNmciym63+H3GJ3OYVX07/vzFjUocvYyvElz8G2FO5lGJ
xH0r8I9Ku/dnzXW2pMd7Kcb9kSgDY/zo3l9rFdkX+aDCZN6uOXnTaijRCu90SUzE
1WRLt1njyYuIelvctTBQ1nkkycXoLmCtI0/kiE9wgranHbVeQCCSq7/G6GIDw7J7
Kwx1pHD3AXHKK5ZFX1Y8sbIVWFmGZmFZ4phpsb0yn/IY7Mn4ijDxnkZ/AJJj1EVF
Rsq57pf96yVZCUULa7gFtOW83JHXC7Edyym7M1J55Jo0jikiWt+jRRYuq5wjXaJ7
mDH41A35AQR5nK9Y5BIzPjRRTcSoDbS/9X1kMSkYGLx+3xT5tSekv9jYtEE59KGU
8EuxWApgTLz89Puz3h1iNscVwBzBmT4A0I1IFgjJ19s5cde0X+a4HMHJoG1pWQ/3
vxHXKT7b0rndecQFBlVuzGns27b/AmRHiwlaXe55dlkS10wvTf8WwH1ys7xMUFIw
q2KgXA9peqwsGBCDe6tD2hqvoY6Krtvp1KiF5ICesjO9UBbqJMOPxEC3vt6WIpIB
fJQkuNimrRnb7N2y6nEt
=ymFv
-----END PGP SIGNATURE-----

--wmhq21yAGFMoSpeN--

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:cc:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=hs1wv7EFRI5r4c0tr1JylDjn4L/Mxrut0zBTNQFBUuzM2t7e6uSYr
	vzX0OTBFjCInN1zk6Ijo1kmpREqx4T1rI+ARAIbnuQEA6ThdSlEnx7v+tGaGslBy
	Wscu0sHZO9xNipnNMCHb/aPLGgnHHqJbFTr9HjkJifB0HT//9iJ9ZM=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:cc:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	bh=EujlKUTgk90WGpyACXITJ2ykS+g=; b=KzOMWg1nxxzJxeE44R0RYE1ch5kz
	izl9MiIqZ3N9HtDcy2eQDZdy2bnxb/GEk+rh7QEngNao8V4ivlhXuw57cRZOXn2/
	Dy3LgkEDGMr8YDDOWn8NUAEcYz0sTJfp48SG3BpiRL8OCQDEJ6PxZkDBKFR87Uqw
	nvhKB4hH2PNS0VU=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2
X-HELO:	calimero.vinschen.de
Date:	Fri, 27 Feb 2015 14:57:43 +0100
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Cc:	Warren Young <wyml AT etr-usa DOT com>
Subject:	Re: Too Many Permissions Stripped In 1.7.35?
Message-ID:	<20150227135743.GN11124@calimero.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com, Warren Young <wyml AT etr-usa DOT com>
References:	<54F00036 DOT 8050509 AT gmail DOT com> <20150227091711 DOT GJ11124 AT calimero DOT vinschen DOT de> <loom DOT 20150227T105254-353 AT post DOT gmane DOT org> <20150227121958 DOT GL11124 AT calimero DOT vinschen DOT de>
MIME-Version:	1.0
In-Reply-To:	<20150227121958.GL11124@calimero.vinschen.de>
User-Agent:	Mutt/1.5.23 (2014-03-12)
Note-from-DJ:	This may be spam