Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <3B329608.7010709@ece.gatech.edu>
Date: Thu, 21 Jun 2001 20:49:12 -0400
From: "Charles S. Wilson" <cwilson AT ece DOT gatech DOT edu>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 Netscape6/6.1b1
X-Accept-Language: en-us
MIME-Version: 1.0
To: Corinna Vinschen <cygwin AT cygwin DOT com>
Subject: Re: ssh private key permissions
References: <3B311D93 DOT 20902 AT ece DOT gatech DOT edu> <20010622002754 DOT D1830 AT cobold DOT toronto DOT redhat DOT com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



Corinna Vinschen wrote:

> On Wed, Jun 20, 2001 at 06:02:59PM -0400, Charles S. Wilson wrote:
> 
>>How do you use setfacl to set the correct permission properties on the 
>>hostkey files (regardless of whatever ACL's were previously applied)?
>>
> 
> The setfacl and getfacl commands as well as the corresponding API
> are implemented according to the SUN Solaris documentation. Since
> I don't know if SUN want's me to take their man pages, I just
> pointed to the man pages on http://docs.sun.com when I implemented
> that stuff. This is still valid.
> 
> So you can find the man pages on http://docs.sun.com. Just search
> for `setfacl'. 


Hmm... given the following file:
$ getfacl foo

# file: foo
# owner: 500
# group: 544
user::rw-
user:1002:r-x
group::rw-
group:545:r-x
group:1000:r-x
mask::rw-
other::rw-


I tried the following command (as Administrator=500, who's in group 545 
and 500.545 owns the file)
$ setfacl -s user::rw-,group::---,other::---,mask::--- foo
setfacl: missing entries.

$ setfacl -d group:1000 foo
<succeeded>
$ setfacl -d group:545 foo
<succeeded>
$ setfacl -d user:1002 foo
<succeeded>
$ getfacl foo
# file: foo
# owner: 500
# group: 544
user::rw-
group::rw-
mask::rw-
other::rw-

Okay, after removing the extra stuff by hand, try again:
$ setfacl -s user::rw-,group::---,other::---,mask::--- foo

setfacl: missing entries.


Aarrgh.  Okay, try it piecemeal:
$ setfacl -m user::rwx
<no error reported>
$ setfacl -m group::---
<no error reported>
$ setfacl -m other::---
setfacl: illegal acl entries
$ setfacl -m mask::---
setfacl: illegal acl entries
$ getfacl foo
~ > getfacl foo
# file: foo
# owner: 500
# group: 544
user::rw-
group::rw-
mask::rw-
other::rwx

!!!! the user:: perms were applied to other::, and the group perms 
didn't take effect. (And, of course, the other:: and mask:: perms 
commands failed)

What gives?  I do NOT understand ACLs.

--Chuck


--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple