X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 6716C3870853
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1592505191;
	bh=y0/q+VwblXWLqh2URb8C43x4VkHZUD8mS0lh9i6Hd3o=;
	h=Subject:To:References:Date:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=Kf9kgMBHarJVj23VxXCosaRkYDr3lnMfctW6I1pWOiDHKSRu3ngeg+ygaG/KytPUw
	YaJqN/+Cspuc7svVrPUNwmZ+w3rQzawSRzP1LTCJPrfRfEBQ8Jh8cueVkE3aPtFONI
	MMcqZoNbFD3Lv74PM+ac1P8N+1z4iLhPVOpsJXIw=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.3.2 sourceware.org 970C03870853
ARC-Seal:	i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
	b=EwXoG9i4qUA7rrsK/2MirafNLFisTKpGZgowRNAtfnAMffJKWrF0f5r7npMNbLPF4Wr3r0kNl9Zz7rwfhJY6bbMHuKmQ8rVKp5L8i901LVWUHuBS21+IA0oA5g74zbwDRnzPyCaoM8aMHj2USFdaVCSl/yl5EtIEqfjSLDsPM+4DTV6N2jZ5ooBS2e3aMJ8k+R4NmF7Ufz/RcZ5PqbZyeIcCUMXCGYkP0IfmQBm3CPEy3SPEuJbQ3dmBR4RHMeW4fPTaDJVZWF45Brpxsz4XhbrJF5yqDpp7FbaDjYFIb7uaZGpLrQfWZEKMXJcc8bwsHByKV0XCSDh4MqbcEHKUFg==
ARC-Message-Signature:	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
	s=arcselector9901;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=WxbeXFeo6RI2IWmsT51aLnSf36RmKS16eSzp7sYc5t8=;
	b=aElnaE73cM3pCsTZl7ByuexDFFVV5/3eGixvk9oHv88VP+k+dvLiFb6uE24k56Kie5keGT8r61MMFItFba4ELt5PM6sPHVu460PuUAxSoAawNm7H8hFUz5fPx1Tlh5Sx6sMpvWNA3fGX+N8lf8AU4PsLpU+uC5/hLffBfgO3GgwPfIhkO5Z//zpmzmu7ZXbbjeExW6IKTalJKqSUDbjCqIYun9UMJ9xEYSd5JvYrIJBqqxMEkOagY27PL95lQosV4rf9Pz4ZjZ1vVfYvue/UClKsVOgPcv33GnciS2q9DzimGY0Fl7nfntgElZPIlw6bCreVuPonbo1ho8oierFxuw==
ARC-Authentication-Results:	i=1; mx.microsoft.com 1; spf=pass
	smtp.mailfrom=cornell.edu; dmarc=pass action=none header.from=cornell.edu;
	dkim=pass header.d=cornell.edu; arc=none
Subject:	Re: Is this a valid synopsis of Cygwin Permission Handling?
To:	cygwin AT cygwin DOT com
References:	<449yFRqoK6976Set DOT 1592496936 AT web12 DOT cms DOT usa DOT net>
Message-ID:	<9b794dcf-eadb-41c8-4e96-c6642d82d28f@cornell.edu>
Date:	Thu, 18 Jun 2020 14:33:01 -0400
User-Agent:	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
	Thunderbird/68.9.0
In-Reply-To:	<449yFRqoK6976Set.1592496936@web12.cms.usa.net>
X-ClientProxiedBy:	CH2PR15CA0026.namprd15.prod.outlook.com
	(2603:10b6:610:51::36) To MN2PR04MB6176.namprd04.prod.outlook.com
	(2603:10b6:208:e3::13)
MIME-Version:	1.0
X-MS-Exchange-MessageSentRepresentingType:	1
X-Originating-IP:	[68.175.129.7]
X-MS-PublicTrafficType:	Email
X-MS-Office365-Filtering-Correlation-Id:	569a74f3-da51-4f03-bc16-08d813b609a1
X-MS-TrafficTypeDiagnostic:	MN2PR04MB6109:
X-Microsoft-Antispam-PRVS:	<MN2PR04MB6109CC9FB682A268DD926FB3D89B0 AT MN2PR04MB6109 DOT namprd04 DOT prod DOT outlook DOT com>
X-MS-Oob-TLC-OOBClassifiers:	OLM:10000;
X-Forefront-PRVS:	0438F90F17
X-MS-Exchange-SenderADCheck:	1
X-Microsoft-Antispam:	BCL:0;
X-Microsoft-Antispam-Message-Info:	enQtQeDvF2vBffthMs0U9usCxutHhchYsJbB/3/ArOkZzoghAIVR+vSpN2377AlBgOmP5hYPCWL607vv2WmwyN5GRdW0A4eq//SuBiJ0PM4d75oTX08rSRR7kWSQDasrTx1I6A5ChVfcYsnv9ik/l0vEMrx3Bh8mzhLqO0vZEFf/6kYzEGIr33Pch4dhaFy7O2qYfwJO4nKzoAkL6GxWxrwmsczSGTnCRPjV/Owo0HpVKg+ptRtcLN1lH00BiNIY7khANRTqfOrIstZgdwszRnx2eraOStGYblCVFgYx/57fvHBjtpknExSinBOgelKfYOj1IPJRcIjTP9EFzG9Q50bTSVCLdaFVzDHmO+f5xRFuFIASaMK+ru7IUPsO7bmpHxV57FSxyGW9vLOICNUwaWZWsDnRj6zXqKBjxYvilg3E+FvqdkaC8xeOQ6n94bbrAIXQRMwBHHR2RGuujMaFh6Itokv3Aeak2lOV2Ri/ydE=
X-Forefront-Antispam-Report:	CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:MN2PR04MB6176.namprd04.prod.outlook.com; PTR:; CAT:NONE;
	SFTY:;
	SFS:(4636009)(136003)(346002)(366004)(376002)(39860400002)(396003)(186003)(16576012)(26005)(8676002)(316002)(53546011)(478600001)(786003)(2906002)(52116002)(75432002)(5660300002)(31686004)(6916009)(83380400001)(966005)(36756003)(66946007)(66476007)(66556008)(8936002)(6486002)(2616005)(16526019)(956004)(31696002)(86362001)(43740500002)(460985005);
	DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData:	lmRwSx5rc+kbD+2DUgLg1WeS23LmeEbFxdyFprxcQA6oc8S8+0YczFH0CsxH9oi3TqkiQO2R9be1D7v/NbjT//PiD+GN7uy68gX4RVjSth4BMNiN3xbuY5F4aGbXRpi6bsVFJ2VlXwK7N2p1FRQ6AdGV75QcnIpBD7izm+Sw8LoU5IJXOeTPySxa+F4WIvn+OytkRmMkHsHuxTrehptDb80oY8VtzmtojvXpUhgZ5QkGoW1dhmdFlUzlBQc0nbhJYLmARXWR48334fZTTWUXZyBkZN71/RE0v/04EOK/84R5sfYvb0R3XBz6NT+8rWp7TvDM2JGaG3jkeIiIeVQiomHqcDTjVSScvZm7tk7fHzURIqJkjscOASOf/pyABhIYj+bkv1NebnJ5PlkfTiVDNZtIN1Bvmm059QE58r+exNyzO/lj0n2y8SCIh0qN2ShYcBQ2zYgQ/dOVUC4/IbKjFe+3l8aA5Igr43+pVt9gSt8=
X-OriginatorOrg:	cornell.edu
X-MS-Exchange-CrossTenant-Network-Message-Id:	569a74f3-da51-4f03-bc16-08d813b609a1
X-MS-Exchange-CrossTenant-OriginalArrivalTime:	18 Jun 2020 18:33:04.5321 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader:	Hosted
X-MS-Exchange-CrossTenant-Id:	5d7e4366-1b9b-45cf-8e79-b14b27df46e1
X-MS-Exchange-CrossTenant-MailboxType:	HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName:	WYIX8UCwXii+EWarixyVjD1BZ57NFHOADlNxpQOoZIm+obkCsDxVojHdYzDoHGdUKigmc/taS6NLWvRooIlC3g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped:	MN2PR04MB6109
X-Spam-Status:	No, score=-4.8 required=5.0 tests=BAYES_00, DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, MSGID_FROM_MTA_HEADER,
	RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS,
	TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version:	SpamAssassin 3.4.2 (2018-09-13) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.29
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<http://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<http://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Ken Brown via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Ken Brown <kbrown AT cornell DOT edu>
Errors-To:	cygwin-bounces AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces AT cygwin DOT com>

On 6/18/2020 12:15 PM, KARL BOTTS via Cygwin wrote:
> 
> I wrote the following to a colleague in a private chat channel. Colleague is
> pure Windows: knows little of cygwin or Linux.  He helps me with hardware and
> Windows.
> 
> We had gotten the WinExplorer dialog saying: "The permissions on volume I: are
> incorrectly ordered, which may cause some entries to be ineffective." This was
> after I had run, with cygwin, 'chmod -R 777 .' in the root of that drive.
> 
> I am not complaining, reporting a bug, or anything like that. I am only asking
> the cygwin experts, whether my synopsis of cygwin permission handling, is
> reasonably and logically correct.
> 
> Thanks.
> 
> 
> #################
> 
> Karl Botts, [18.06.20 09:17]
> On that dialog box: I must confess, you should know: I may have caused that,
> by running in root of I: drive, aka in I:/  :
> 
> chmod -R 777 .
> 
> I did that _after_ screwing around with WinExplorer security dialogs. Was not
> getting anywhere, so I tried the chmod out of desperation. Probably should not
> have.
> 
> How cygwin works, with respect to permissions:
> 
> When the first cygwin1.dll is launched (one is being loaded into a process,
> and no other is loaded), it queries from WinDomainController, all security
> info it can get. Including SIDs, ACLs, practically everything. That
> cygwin1.dll builds, in  shared memory private to cygwin, a database expressing
> all that data, in Linux terms. That database emulates what a Linux kernel
> reads from /etc/passwd, /etc/groups, more places, including other hosts.
> 
> All cygwin processes started as descendants of that first process, are passed
> pointer to that DB in shm. (That DB is built just once.) (Remember, in
> Linux/cygwin model, every process is a child of some other process.)
> Thereafter, that DB is almost all a cygwin process knows about perms. I think,
> occasionally, it may call to DomainController again, or to refresh, but tries
> to avoid that, because is very slow. (If every cygwin process queried
> DomainController, would be unacceptably slow.)
> 
> Problem is that emulation, Linux perms <==> Win perms, is not perfect.  A few
> concepts in each, unknown to other.
> 
> In particular: in Win, the AccessControlEntries in an AccessControlList, must
> be in a certain order, or the ACL is invalid. No such concept in Linux: all
> orders valid. When ACL is invalid for that reason, WinExplorer is known to be
> helpless, hence dialog above. Per cygwin mailing list, Win program
> 'icacls.exe' can straighten that out. But requires extreme complex commands to
> icacls; has varied over time; me not know exactly how to do it. So I get
> stuck.
> 
> What 'chmod -R 777 .' means is: Assign complete Read,Write,Execute perms, for
> all of User,Group,Other, from current working dir (the .), recursively, all
> the way down. To all files, all dirs, all everything.
> 
> Those concepts of 'complete' and 'all' and 'recursively all the way down', do
> not map perfectly to Windows. It seems to refuse to believe that intent.
> Somehow, some ACLs wind up in 'wrong ACE order' state. WinExplorer now
> helpless: you get that dialog. Snafu.
> 
> I think I did that.

I haven't read this carefully, but I did notice one inaccuracy.  It's not true 
that the Windows ACEs must be in a certain order or the ACL is invalid.  Windows 
prefers a certain order, in which case the ACL is called "canonical".  But 
Windows deals perfectly well with non-canonical ACLs, even though Windows 
Explorer complains.  See

   https://cygwin.com/cygwin-ug-net/ntsec.html

for details, as well as for an explanation of why Cygwin sometimes produces 
non-canonical ACLs.

Ken
--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -