X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
From: Barry Kelly <bkelly DOT ie AT gmail DOT com>
To: Cygwin Mailing List <cygwin AT cygwin DOT com>
Subject: Cygwin Everyone group permissions and Vista "shared files" (*not* shared folders)
Date: Tue, 09 Sep 2008 07:47:42 +0100
Message-ID: <5e4cc4153gf115hcpi4ilk2s787klg6sra@4ax.com>
X-Mailer: Forte Agent 4.2/32.1117
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id m896mxV1019575

Cygwin by default, tries to implement POSIX permissions using the NT ACL
system - fairly well described here:

  http://cygwin.com/cygwin-ug-net/ntsec.html

The way this feature is implemented interacts poorly with Vista,
however. A previous mailing (with reply) on this list that tried to
describe this issue is here:

  http://www.mail-archive.com/cygwin AT cygwin DOT com/msg83783.html
Reply:
  http://www.mail-archive.com/cygwin AT cygwin DOT com/msg83794.html

The Vista feature in question is "Shared Files", which is *not* the same
thing as a network share. Rather, it describes files which are shared
between *different* users of the *same* computer, rather than different
users in a network environment.

Vista comes with a saved search that tries to show all such "Shared
Files" in your profile directory, recursively; i.e. files that you would
reasonably expect to own, but are letting other users of the same
computer access. The saved search is located here:

  C:\Users\<user-name>\Searches\Shared By Me.search-ms

The way it appears to work is by looking for files and directories which
have access-allowed access control entries (ACEs) for the groups Users
or Everyone.

Unfortunately, Cygwin creates an ACE for the group Everyone, even with
umask 0077, or after chmod 0700 is applied. Specifically, this is what
it looks like using cacls:

                     Everyone:(special access:)
                              READ_CONTROL
                              FILE_READ_EA
                              FILE_READ_ATTRIBUTES

How can addition of this ACE be controlled or prevented by default for
Cygwin applications?

Thanks,

-- Barry

-- 
http://barrkel.blogspot.com/

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/