X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=oqNlpzgCBBWsXdQI9uzlR9MdyDcleR1/6YShwKEOj+Ev2NQUfY+ka LrNGlzqDUsDv+5EPdVfhUnBgjhNillDWYvZNqyvEBhHs+GJdR93uNwQqrE6RXNB9 ZLMy0HqfBnWnDXsC8iZCUBqu1iFQqJbvmqyvQGkP4BMJE0zp4KaqmE= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=YBdyCGjnWWuH7emK1UkH6McExWY=; b=e9o2O5a7t9fwwd8hrJU67fEY4sx5 YlXqO5NpYjKLJW9Id9GhCjM+OpWiIwEaKYzQso+cMav4Rba5BEgTM8rKEr9KdPm5 9OHfsfjV44BfeQFwfI2Wg0CL8bgXJjmW90h4ome346KxN6jDNqpeIYvwDnrZdFEr OLWEVhS1gVVDiak= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Date: Thu, 12 Feb 2015 12:10:58 +0100 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: group permissions Message-ID: <20150212111058.GU7818@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <54D7EB4E.6020105@towo.net> <20150209091445.GA10457@calimero.vinschen.de> <54D91687.8090301@towo.net> <20150210092122.GA15989@calimero.vinschen.de> <54DBBB52.8070002@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="n83H03bbH672hrlY" Content-Disposition: inline In-Reply-To: <54DBBB52.8070002@redhat.com> User-Agent: Mutt/1.5.23 (2014-03-12) --n83H03bbH672hrlY Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Feb 11 13:28, Eric Blake wrote: > On 02/10/2015 02:21 AM, Corinna Vinschen wrote: > > o The other way to emulate writing an ACL_MASK entry would be to drop > > permissions from all groups and secondary users so they match the > > desired mask value. This is secure, but in contrast to the other > > solution it would change the secondary permissions permanently. > > Changing the mask back would not change the permissions of the > > secondary ACL entries back. >=20 > Possible enhancement on this idea (I have no clue if it would actually > work, though): >=20 > When rewriting ACE entries because of the just-added restrictive > ACL_MASK, put in some marker that mimics the default deny-all action, > then additional entries in the tail of the ACE list that shows the > pre-modified permissions that we just took away due to the mask. If we > later loosen the mask, we can use the tail of entries to restore > original permissions. And since the tail occurs after a catch-all deny, > they won't grant permissions in the meantime. The trick then becomes > telling when we have stuck our marker in place to represent that we have > injected tail entries to reflect the state to restore if ACL_MASK is > relaxed. I see what you're up to. Right now I'm just a bit side-tracked because I had an inspiration how it should be possible to avoid the reported "slow startup" problem due to slow LDAP conncetions to the DC. After that I'll return to the matter and peruse your idea. In the meantime I also realized that the way Cygwin reads and creates the file ACLs in two different sets of functions (one for stat/chmod, the other for acl(GETACl)/acl(SETACL)) is a rather bad idea. I think I'll take the opportunity to revamp the ACL handling completely to unify the calls into a single implementation with consistent results. Ideally the result is more POSIXy than today. Thanks, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --n83H03bbH672hrlY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJU3IpBAAoJEPU2Bp2uRE+gszYP+QFx5s0ODjJ6WRLCpABR9ZFE oVjZGqo8yKB+q614rlfguF5nm2ipULHHH5bGF9q4OHU82r4qBm3hkTFnEGDT0BnZ aZm5SjmaAEXw5Rl5pLShW8PSFaRTmmLerY4Id4YqVv828IBMUqywzg5MyNW68Vd3 O6+flIKGow/d9Txxj80DRlfICu5S7JbrbH0bIDt1mp64xhm8eIFchKKuuL4dgoTZ GW9m5Kv78x6/fAJEtL+ddQrfLkQSJq/o8YQUZH7AFceLCkxpwb751aNfFwVy+JOu XhCd66/X+qolPVXMsD3pXg8ALppqWqwPCSWvGdAMd6bXfLsfETfWi3dtgnQmclfc ZMwLLsRr6jgBU4nJxh0FEwObevKiGPowBFHbmLFByp18EBO/9vr4UFJ9cbKcYy06 o+xJatf1Dq89jgrtIFK1Wx5I3P5S1FXU4n6OMOP5ex8JAyIe+VBuSHvowIMGTAF8 GzqRFtzPhFAFWCQ9f3zJcfYGLD/ZIvWPIDU0aA81b4AyfDfudzgfRCkw1bRGvZOK gKEduDN+D7pjSay93Pm7x7Xe00hxckLXals/fRpY5P+Lx38QS6qZCJk7gm7SwxU+ n/u0EgQ1xLu/TSywbvQwPgq5uhieMW02B4O7DzvKS5tJZjkhqQTl93numBuepKW3 +eGeivbeGwpJhhYXrw62 =4SPE -----END PGP SIGNATURE----- --n83H03bbH672hrlY--