| delorie.com/archives/browse.cgi | search |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 delorie.com 5AJ4nUZe1401134 |
| Authentication-Results: | delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com |
| Authentication-Results: | delorie.com; spf=pass smtp.mailfrom=cygwin.com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 delorie.com 5AJ4nUZe1401134 |
| Authentication-Results: | delorie.com; |
| dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=iAzrTKX4 | |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 8CC5538515CB |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1763527768; | |
| bh=B+H+17RyZkB+Ah72bvWzXUy/8LZN5jzc3ZzjVnzMB5o=; | |
| h=Subject:To:References:Date:In-Reply-To:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: | |
| From; | |
| b=iAzrTKX4yS4qlRiDlF3scrdMq4PXwp5RsWxPgbj1jtk5ez519lOAa74EEmvXXzzBv | |
| 7PC4HhhdGyBXORrB6fez6Ak22hs5ixSY/mBD094etgMLIcAe/GKJyWoz0x7kw/pavf | |
| q2lssHPFGLGJaql18pZhyB5eRVDHcvuh2RE9PuxE= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 sourceware.org 1E77F385E02A |
| ARC-Filter: | OpenARC Filter v1.0.0 sourceware.org 1E77F385E02A |
| ARC-Seal: | i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1763527738; cv=none; |
| b=QnZ4ZAAwBKznlidKODn2gd7zagDdeEfHHGXaDpeeB9rllNjHeXTAOJnIBxb2e7V0HYdldmG4hniBwmuI/9dkBDogEnSKgjWKgch2SmOQyZ67P48NFgt+R0pyzLSpLV23Jay47PfoRimr0hp+xwR5q9KGtu6fbuk3hOOQ2eEa6QU= | |
| ARC-Message-Signature: | i=1; a=rsa-sha256; d=sourceware.org; s=key; |
| t=1763527738; c=relaxed/simple; | |
| bh=iLYUZX5Qtiv0ttuozH8iMajh4nR07CPbblBcK8Y5NvI=; | |
| h=DKIM-Signature:Subject:To:From:Message-ID:Date:MIME-Version; | |
| b=aY3esOEXXI9ApOIiiWMRDLyBSGBOEezPvCmFZut6+c2px9HmB+Z6Z7qrXyA9IS12emYQZZ6l++ZPN9irenEIpLvGzKJ+qMUha82zNoxwZeAH6hHd86KShJHQCXG7vKjx8M7FC77LFeg6dzlyITH3yMkObFJR1wOGbcUeXbExKrM= | |
| ARC-Authentication-Results: | i=1; server2.sourceware.org |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 1E77F385E02A |
| Subject: | Re: Cygwin API to atomically create a new file with an ACL? |
| To: | cygwin AT cygwin DOT com |
| References: | <CA+1jF5q8VmGAiUyrQQ1dLa_0KLByfsFLtic86kr61HTTFAm9oA AT mail DOT gmail DOT com> |
| <0a1391ac-adba-4420-b581-ccdb3842109a AT towo DOT net> | |
| <CA+1jF5r47SbFZHk4rp0z8K0ezGhrZpaVUu6pKMb=4VJnYQ0vcg AT mail DOT gmail DOT com> | |
| <d21b4aa3-3915-439e-9a07-2cb169ddf2ab AT towo DOT net> | |
| <1fb9eb10-983a-43da-b523-06f6ede14436 AT towo DOT net> | |
| Organization: | WiseMo A/S |
| Message-ID: | <97089a3f-a4a7-fd51-f6d3-96b694a4f080@wisemo.com> |
| Date: | Wed, 19 Nov 2025 05:48:57 +0100 |
| X-Mailer: | Epyrus/2.1.3 |
| MIME-Version: | 1.0 |
| In-Reply-To: | <1fb9eb10-983a-43da-b523-06f6ede14436@towo.net> |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.30 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Jakob Bohm via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | Jakob Bohm <jb-cygwin AT wisemo DOT com> |
| Errors-To: | cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com> |
| X-MIME-Autoconverted: | from base64 to 8bit by delorie.com id 5AJ4nUZe1401134 |
On 16/11/2025 10:45, Thomas Wolff via Cygwin wrote: > > Am 16.11.2025 um 02:40 schrieb Thomas Wolff via Cygwin: >> Am 15.11.2025 um 19:05 schrieb Aurélien Couderc via Cygwin: >>> On Sat, Nov 15, 2025 at 3:43 PM Thomas Wolff via Cygwin >>> <cygwin AT cygwin DOT com> wrote: >>>> >>>> Am 15.11.2025 um 13:58 schrieb Aurélien Couderc via Cygwin: >>>>> Does Cygwin have an API to atomically create a new file with an ACL? >>>>> >>>>> Aurélien >>>> I don't think there's such an API in POSIX. Instead it's the >>>> purpose of >>>> the directory default ACL entries to support this. >>>> While the manual pages of setfacl/getfacl are lousy, a fairly lucid >>>> description is in 7.6. POSIX Access Control Lists | Administration >>>> Guide >>>> | Red Hat Gluster Storage | 3 | Red Hat Documentation >>>> <https://docs.redhat.com/en/documentation/red_hat_gluster_storage/3/html/administration_guide/sect-posix_access_control_lists>. >>>> >>> That does not help. There are valid use cases, where this becomes >>> security relevant due race conditions between file creation and >>> setting of the ACLs. >>> >>> That's why all mainframe operating systems (and Windows WinNT as VMS >>> descendant) which support ACLs also support file creation with ACLs as >>> an argument. >>> >>> Aurélien >> The directory default ACL is like an implicit argument. I do not see >> a race condition as my assumption is that the new file is equipped >> with the inherited ACL in an atomic creation instance, although I do >> not find this specified. Maybe someone has a more specific clue. > There is also manual page acl(5) but it's missing in cygwin: > acl(5): Access Control Lists - Linux man page > <https://linux.die.net/man/5/acl> > Another good description is > Access control lists in Linux | Security and Hardening Guide | SLES 15 > SP7 > <https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-security-acls.html> > For the traditional UNIX/POSIX permission system, there is the passing of a mode bitmask to to creat(2/3P) . So this is all about extending that concept to the wider ACL system (and in the case of cygwin, to some POSIX-acl-like honest representation of NT file ACLs) . The obvious Cygwin-specific workaround is to invoke the Win32 CreateFile() API directly, followed by somehow mapping the Win32 file handle to a Cygwin file handle, however this latter operation is not easy to find due to the wholesale use of generic POSIX man pages without even linking to the Cygwin specifics of each call or call family, except for a meaningless disclaimer at the top of each page. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |