| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:subject:references:date:in-reply-to | |
| :message-id:mime-version:content-type; q=dns; s=default; b=FOC8s | |
| fi+dhWhct9NIIp89Tl/OWCCrM0aZOCT/47FYIHYbbuT3slvs+U9tkxzo1NxGi/xX | |
| GvYUy4mMjDd8QkBmECHCr8jKWACB0Ja9RKQ1tKjuFm4mtYpXugf2n3GK22AK4qh+ | |
| JzBpAfbSyfozYpA4ksICc+RlfJrqmBIDqpGux8= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:subject:references:date:in-reply-to | |
| :message-id:mime-version:content-type; s=default; bh=PoznLHn43LD | |
| 9E08mfoFqhUwdkFg=; b=GK2VspUQJpCPmk4o45i7cei907MlBGnFsAmDdfnR2On | |
| rjdnVyZUrEZwC5jhVqkZuamV4gU2L+srkxL87pCsWXJMtXsh4r/gze/CgaFuc5GE | |
| vB24GknFT4oAGLhJ8RGFZr0V/fMbS4URH8zAOotzynNby07e+73iIsV0fs+Ey3KI | |
| = | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-1.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 |
| X-HELO: | mail-in-07.arcor-online.net |
| X-DKIM: | Sendmail DKIM Filter v2.8.2 mail-in-13.arcor-online.net 3lPF0d70JmzJMGs |
| From: | Achim Gratz <Stromeko AT nexgo DOT de> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: [TESTERS needed] New POSIX permission handling |
| References: | <20150410100703 DOT GA4401 AT calimero DOT vinschen DOT de> <87lhhzcarc DOT fsf AT Rainer DOT invalid> <5528E2ED DOT 7090105 AT gmail DOT com> <87d23bc9r5 DOT fsf AT Rainer DOT invalid> <5528EE66 DOT 8070305 AT gmail DOT com> |
| Date: | Sat, 11 Apr 2015 13:51:09 +0200 |
| In-Reply-To: | <5528EE66.8070305@gmail.com> (David Macek's message of "Sat, 11 Apr 2015 11:50:30 +0200") |
| Message-ID: | <878udydgsy.fsf@Rainer.invalid> |
| User-Agent: | Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) |
| MIME-Version: | 1.0 |
David Macek writes: > https://technet.microsoft.com/en-us/library/cc776499(v=ws.10).aspx > says otherwise about the group-in-group rights. As I see it, nesting groups is just a more efficient way of populating them, so by expanding the nested groups recursively you'll end up with the effective set of users that have those rights. But if I have a DACL permission for "Domain Admins" that still doesn't mean that "Administrators" (the group) gets access. The other way around (intentionally) works, by virtue of "Domain Admins" being a member of "Administrators". Also, "Administrator" (the account) is by default a member of both "Administrators" and "Domain Administrators", which is a bit confusing. > The way I see it, the point of the code change was to prevent the > "implicit" Administrators and SYSTEM DACL entries from showing up in > the computed POSIX access mask because they nicely match the implicit > rights root accounts have on POSIX systems and because they're > unhelpful and sometimes problematic. My point is that the interpretation of who gets to call himself "root" in that analogy is quite fuzzy and sometimes depends on the filesystem you look at. The choice proffered by Cygwin now is mostly correct for local file systems, but not necessarily for network shares (and most certainly not for a few important ones I'll have to deal with). The fallback will be to mount with "noacl" as before, something I had hoped would no longer be necessary. I have a few applications where the faked file modes simply don't cut it and so far I've been lucky that either the shares these need to be on are configured differently by default (like my home "drive") or I could convince IT to give me something non-standard. But the next round of filer or server upgrades or changed security policies might leave me stranded, so I'm really not too keen to rely on that indefinitely. > As neither Domain Administrators nor Power Users have this combination > of properties (presence on most filesystem objects by default and > SeTakeOwnershipPrivilege), I think it's useful to have them appear in > the mask. For isolated systems and small networks, this is wholly sufficient. Large networked installations have, for better or worse, more complicated setups. Again, I see a lot of cruft that likely wouldn't be necessary and is probably largely historical, but some of it really can't be changed. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf Blofeld V1.15B11: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |