Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Sat, 12 Apr 2003 09:39:01 -0400
From: "Pierre A. Humblet" <pierre DOT humblet AT ieee DOT org>
To: cygwin AT cygwin DOT com
Subject: Re: File/Directory Permissions and Security
Message-ID: <20030412133901.GA35123357@hpn5170x>
Mail-Followup-To: "Pierre A. Humblet" <pierre DOT humblet AT ieee DOT org>,
	cygwin AT cygwin DOT com
References: <b787l5$2ul$1 AT main DOT gmane DOT org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <b787l5$2ul$1@main.gmane.org>
User-Agent: Mutt/1.4i

On Sat, Apr 12, 2003 at 01:20:08AM -0400, L. Li wrote:
> Hi,
> 
> I'm a Cygwin and Unix newbie (kinda anyway - it's my first time
> administrating). I recently set up an openSSH server on my box via Cygwin
> and I'm trying to set up proper file/directory permissions. I called a
> recursive chmod so that only the owners of each object can write, while all
> others can only read and execute.
> 
> After doing this, I went to verify that this was the case and logged in
> under a user that was not the owner of anything but his home directory. The
> home directory permissions worked great. Only he had write access. However,
> outside of that, he could write to any directory he wanted to (except for
> the root C and D hard drives - don't know why). I'm wondering what I have to
> do to revoke write access to directories once I've ssh'ed into my box. Once
> I can get this basic policy up, I'll tamper with more specific permissions
> on a per object basis. But right now I can't seem to get this working.

Access is controlled by ACLs that may have more entries than just for owner,
group and everyone. "ls -l" displays a "+" when this is the case. 
You can observe the acl with "getfacl" or "cacls". 

chmod does not affect the permissions of the extraneous groups, but you can
change or remove them with "setfacl" or the Windows security GUI.

If you use setfacl on a directory, I highly recommend that you specify default
permissions for owner, group and everyone. Otherwise files created by non-cygwin 
applications may have unexpected permissions.

Pierre

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/