| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:subject:references:date:in-reply-to | |
| :message-id:mime-version:content-type; q=dns; s=default; b=A5qWv | |
| NsiO95epk0FMLWXgoZduExdVlsxT/NTmSNbRftyxRW47WhdvGyrGjNRh2BG3aFyv | |
| ssxNDy/J8M/2mS0GDGsuHVNMhBwbC1ySDIONttWIC9F76w8KJav8X2/l3/lum8tc | |
| btZ5fu8jKyoYtayWQcGEwn8Kzgw4QmI/0IddE0= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:subject:references:date:in-reply-to | |
| :message-id:mime-version:content-type; s=default; bh=ZX8yp3egDLM | |
| 3Y8xfgsmuZq3+UX8=; b=Oifpot7QnaK5107gWvD6v3/iQIL6KscoF91tCm9n5qg | |
| H/hW/vNcCfA6cUJkmOugsfF5JmJ1RUUS6l7WndIHO2SBO7CC3pEe+bT5rpId7zdv | |
| Ly6jOb9wiIwBqpKCMtT1mJT0AsLaPiZr5HDQBbQLUXuZjDPq3vJG/QSxNn2/cnBY | |
| = | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-2.0 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:2588, sheer, rights, Hx-spam-relays-external:ESMTPA |
| X-HELO: | mx009.vodafonemail.xion.oxcs.net |
| From: | Achim Gratz <Stromeko AT nexgo DOT de> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: [Bug] File permissions across domains |
| References: | <874lkjt3dw DOT fsf AT Rainer DOT invalid> <20180411070312 DOT GK29703 AT calimero DOT vinschen DOT de> <20180411093443 DOT GM29703 AT calimero DOT vinschen DOT de> <87r2nlwtln DOT fsf AT Rainer DOT invalid> <20180412073805 DOT GS29703 AT calimero DOT vinschen DOT de> |
| Date: | Thu, 12 Apr 2018 21:16:24 +0200 |
| In-Reply-To: | <20180412073805.GS29703@calimero.vinschen.de> (Corinna Vinschen's message of "Thu, 12 Apr 2018 09:38:05 +0200") |
| Message-ID: | <87bmeo8cc7.fsf@Rainer.invalid> |
| User-Agent: | Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
| MIME-Version: | 1.0 |
| X-VADE-STATUS: | LEGIT |
Corinna Vinschen writes: > I inspected the source code which handles this kind of thing. What it > does is to ask Windows for permissions of SID X on file Y, using AuthZ. That seems to be working correctly. For all old domain SID I've looked at, they've been prefixed by 0x7FFF0000 when seen by the new domain machine, so both the SID and conversion of uid/gid works correctly. If it didn't I'd not be able to see my homedir and other stuff too. > See sec_acl.cc, line 1127ff. This calls a function > authz_get_user_attribute which in turn calls a method > authz_ctx::get_user_attribute, sec_helper.cc, line 811ff. > > This method checks if the owner of the file is the current user. Given > this test is done using SIDs, not Cygwin uids, this should be you, *iff* > you're logged in as the same user on both machines at the time you > created the above output. This in turn should create the Authz context > for the current user from the current process token and the subsequent > AuthzAccessCheck should give the same result on both machines. I've looked briefly at the source code, but I don't really see what's going on. While poking around, I noticed that the error/bug is far more specific than I thought: The merging of the access rights bestowed by access groups is working correctly if the file is not owned by the current user, but fails if it's owned by the current user. I have a second account that I must use for doing anything administrative and it's also in the old domain. > One reason could be that you're member of OLD+cygwinupload only on the > old machine, while this group is not in your current process token when > logged in on your NEW machine. You should check your token. In terms > of group membership an `id' call should suffice. But there may be > other differences in the token. That all seems to be correct as far as I can tell. > If that's not the problem, you will have to debug this, because > only you have access to this environment. Given the sheer size of the function I'd appreciate if you could point out on which line the decision is made whether the file is owned by me or not. It seems that I should step through from that point on to see where it makes the (wrong) decision to not merge access rights via groups. > It wouldn't change anything since the access check is performed on > SIDs, not uids. True. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Samples for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |