X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Mon, 13 Oct 2008 17:48:33 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: ACL weirdness on Cygwin
Message-ID: <20081013154833.GN9289@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <48F010D0 DOT 3020101 AT byu DOT net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <48F010D0.3020101@byu.net>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Oct 10 20:34, Eric Blake wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I'm just as stumped as Bruno on this issue, and don't know if it
> represents a bug in cygwin1.dll.
> 
> - -------- Original Message --------
> [http://lists.gnu.org/archive/html/bug-gnulib/2008-10/msg00195.html]
> 
> The test-copy-acl.sh test fails for me on Cygwin.
> 
> There appears to be a weird interaction between setting a file mode (chmod)
> and setting an ACL. Although on this platform the ACL has entries that
> correspond to user/group/other, the mode is *not* part of the ACL for all
> files.
> 
> The test case showing that 'chmod' influences the ACL is this:
> 
> tmpfile4 is a regular file. One calls acl or facl on it with these entries:
>   (gdb) print entries[0]
>   $5 = {a_type = 1, a_id = 1006, a_perm = 6}
>   (gdb) print entries[1]
>   $6 = {a_type = 4, a_id = 513, a_perm = 0}
>   (gdb) print entries[2]
>   $7 = {a_type = 8, a_id = 0, a_perm = 1}
>   (gdb) print entries[3]
>   $8 = {a_type = 16, a_id = 4294967295, a_perm = 7}
>   (gdb) print entries[4]
>   $9 = {a_type = 32, a_id = 4294967295, a_perm = 4}
> 
> Then "getfacl tmpfile4" shows these entries:
>   user::rw-
>   group::---
>   group:root:--x
>   mask:rwx
>   other:r--
> Looks all right. Then do a chmod 604 on it. Then "getfacl tmpfile4" shows
> this:
>   user::rw-
>   group::r--
>   group:root:--x
>   mask:rwx
>   other:r--
> The "r--" for 'other' has been ORed to the permissions for 'group'!
> [...etc...]

The problem results from the fact that, in contrast to chmod, setfacl
does not create deny ACEs in case "other" and/or the group have more
rights than the group and/or the owner of the file.  I described the
basic problem of mapping POSIX permissions to Windows ACLs years ago in
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping

setfacl doesn't create deny ACEs and, unfortunately, even removes them
when creating a new file ACL.  Yes, that needs reworking at one point.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/