Mail Archives: cygwin/2022/01/12/04:36:07

Corinna Vinschen <corinna-cygwin AT cygwin DOT com> · Wed, 12 Jan 2022 10:33:59 +0100

On Jan 10 14:46, Corinna Vinschen wrote:
> On Jan 10 11:07, Corinna Vinschen wrote:
> > On Jan  7 15:56, cyg DOT  DOT  DOT  AT kosowsky DOT org wrote:
> > > > Corinna Vinschen wrote:
> > > > On Jan  6 16:11, cyg DOT  DOT  DOT  AT kosowsky DOT org wrote:
> > > > It is.  I realized belatedly, that 3da9e136.acl is apparently a
> > > > directory, not a file.
> > > 
> > > It's actually a file...
> > 
> > This is weird.  The meaning of the OI and CI markers are "Object
> > inheritance" and "Container inheritance".  These bits only make sense
> > for directories and they control how ACEs are inherited by child objects
> > (files) and child containers (subdirs).
> > [...]
> > I'll have a look into the sources later, but I sure would prefer if
> > I could create such a file locally.
> 
> I tried to create a file with equivalent ACL including the inheritence
> flags on W7, W10 and W11, but to no avail.

Success!  I hacked a Q&D application which opens a file, reads its
security descriptor (SD) and just adds the object and container inherit
flags to all its DACL' ACEs and writes the SD back.  Albeit Windows
tools and some of the security functions under the hood don't allow to
add inherit flags to files, some functions just write the SD verbatim
without checking.

So I was finally able to reproduce your issue:

  $ ./hackup acltest
  $ icacls acltest
  acltest NT AUTHORITY\SYSTEM:(OI)(CI)(F)
          Everyone:(OI)(CI)(RX)
          BUILTIN\Administrators:(OI)(CI)(F)

  Successfully processed 1 files; Failed processing 0 files
  $ getfacl acltest
  # file: acltest
  # owner: Administrators                                                   
  # group: SYSTEM                                                           
  user::rwx                                                                 
  group::rwx                                                                
  other::r-x                                                                
  user::rwx                                                                 
  group::rwx                                                                
  group:SYSTEM:rwx                                                          
  mask::rwx                                                                 
  other::r-x                                                                

The Cygwin DLL reads the DACL and converts it to a POSIX ACL.  An ACE
with inherit flags set is converted to a POSIX access ACE and
additionally to a POSIX default ACE.  The latter is done independently
of the file type.  The calling function (still in Cygwin) doesn't expect
default ACEs for files and treats them as access ACEs.  That's what
you see in the getfacl output above.

I fixed this in Cygwin by ignoring inheritance flags unless the object
is a directory, so the core function in Cygwin only creates default
ACEs for directories.  The result when calling getfacl on such a file
is thus:

  $ getfacl acltest
  # file: acltest
  # owner: Administrators                                                   
  # group: SYSTEM                                                           
  user::rwx                                                                 
  group::rwx                                                                
  other::r-x                                                                

I uploaded a developer snapshot to https://cygwin.com/snapshots
Please give it a try.

Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org C76D6393A412
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1641980166;
	bh=Yg0uEq4WKF0xS2GaHfHn+XkQcnTAeLuV8trPH+cMzuo=;
	h=Date:From:To:Subject:References:In-Reply-To:List-Id:
	List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	Reply-To:From;
	b=vD4N8iP8S9rCsLkh66blk/mgO9prbALD6d0+rhL92kWS0cPgR8SflRzfhWWIJNgdd
	lr/y5p1kHarolPS67styWZ7LGoJHwy2H4VNgUnFEKrM/jXKjedrWgsw9q/FBFp/pLT
	evuRYKxeybF8ozl5Oe3/2E+AqSwv6zqt71rCOjVA=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.1 sourceware.org 463E8393A415
Authentication-Results:	sourceware.org;
	dmarc=fail (p=none dis=none) header.from=cygwin.com
Authentication-Results:	sourceware.org; spf=fail smtp.mailfrom=cygwin.com
Date:	Wed, 12 Jan 2022 10:33:59 +0100
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: Duplicate ACLs? - Can't copy file even with Admin permissions
Message-ID:	<Yd6ghzC7GybqYIfe@calimero.vinschen.de>
Mail-Followup-To:	cygwin AT cygwin DOT com, cygwin AT kosowsky DOT org
References:	<25043 DOT 7019 DOT 643488 DOT 389876 AT consult DOT pretender>
	<YdWCPsZOModGdRXM AT calimero DOT vinschen DOT de>
	<8735m12k3u DOT fsf AT Rainer DOT invalid>
	<25047 DOT 23325 DOT 33020 DOT 646017 AT consult DOT pretender>
	<25048 DOT 43238 DOT 484068 DOT 737126 AT consult DOT pretender>
	<YdwFc2JA5FfH1Ktr AT calimero DOT vinschen DOT de>
	<Ydw4stFxX+he1A6b AT calimero DOT vinschen DOT de>
MIME-Version:	1.0
In-Reply-To:	<Ydw4stFxX+he1A6b@calimero.vinschen.de>
X-Provags-ID:	V03:K1:hhRNQ+heIWHSVgZf/KTZV6PqcR1PpHpodyjb2xMZkTSLAogl7er
	+XWnDQod8d1p9Q/HJY832moWBI2JuMsk+XwdS4hr/EqT1hXCJ6C1wQ7CCuNuHymgYuW1ewb
	FDx7uprHQZcIsjbbQ75nBubDJWGft8Gi6g9UCffZn4WIFXNcXnaSLFFkU2W2M7OnTPcbOQL
	/6zxDta9QwamJaD+0Se1w==
X-UI-Out-Filterresults:	notjunk:1;V03:K0:3BxGSkbf/y4=:/rb+AD7HTydLvqcnfMaMx1
	OzNU7jcfRnJZTEyb65j7d0xAwni/ezPrSk+ik1x4nUBHWQgcFVyGz3rQ/VlUa712+dWMtCRuE
	GL0SnExgWMLD7h/9jnPkzfcGngpUxbQQTQnUHSpsAcu1tfu8EgT3QylkMnuvstWcjNVnveumS
	2kTYHP3Q8Bq6FNzG89JvcmErzGQ2s0SzQJwGDaEL9v3uLAgUFSG+zhaN1+J0jE3wOFuKVV404
	1EJm2Kn9LbfJZM4L9qLlMd65u64UBATWgqjpJyMmH4xeaNfxLH2Fq+Qx2y6JQOHBLGCVJfQGU
	IyLvFpUzzH3JTMP/8RLCH7IT1giMbvaewcMeTGR3Oennebe9fc7m0hDddmPSduSmP6HSjeU80
	kOyjNMBnfxypMP96GNvuBY0fSlNpdQnItUxPtTV9IE+macRyvhRCU24AGs0k6TAB3Hdj+qK4N
	PJbUcteXDQ3I6XdqflJDMELTKyJA2cFetBtM2AMSGfyuWhYDa3tP+LzqVmPQO7GJUXa+S0eOV
	LrqMEqUaEMesQeIbc3RwK782YL/a4D6SD/FXPrRqcWYM/r0ztxpCgTf24DV7dFNXyI/e4/Gxo
	VvX52dgBDa0o1svWjauJWhWgq65aYz5V7Abu11Q35Neo3jbxcEqkdieFjzzVx70z681+1VmfE
	Vh0MaYahp4YRAu4ecD5TtrgpGW+kHQYMIBFmJF7ekpefzQ4wRFVk3E6XX/OU09Q5sgVZWhxr9
	hui0atCirOVscwwj
X-Spam-Status:	No, score=-92.8 required=5.0 tests=BAYES_00,
	GOOD_FROM_CORINNA_CYGWIN, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL, SPF_FAIL, SPF_HELO_NONE,
	TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version:	SpamAssassin 3.4.4 (2020-01-24) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.29
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Reply-To:	cygwin AT cygwin DOT com
Errors-To:	cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019