X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-6.8 required=5.0	tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,TW_RW,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
Message-ID: <4CD43740.8030006@redhat.com>
Date: Fri, 05 Nov 2010 10:56:32 -0600
From: Eric Blake <eblake AT redhat DOT com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Fedora/3.1.6-1.fc14 Mnenhy/0.8.3 Thunderbird/3.1.6
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Executable bit check
References: <76B81B8B64B6254B98733990F38621DA6A0F AT sron-chi-exc05 DOT ronin DOT roncap DOT com> <4CD35A71 DOT 3030707 AT cygwin DOT com> <76B81B8B64B6254B98733990F38621DA6A13 AT sron-chi-exc05 DOT ronin DOT roncap DOT com>
In-Reply-To: <76B81B8B64B6254B98733990F38621DA6A13@sron-chi-exc05.ronin.roncap.com>
OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigE6A0353A075D3C2659247013"
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

--------------enigE6A0353A075D3C2659247013
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11/05/2010 09:55 AM, Illia Bobyr wrote:
> On 11/4/2010 8:14 PM, Larry Hall (Cygwin) wrote:
>> [...]
>>>>> What does 'getfacl abc' say?
>>>>
>>>> $ getfacl abc
>>>> # file: abc
>>>> # owner: ibobyr
>>>> # group: Domain Users
>>>> user::rw-
>>>> group::r--
>>>> group:SYSTEM:rwx
>>>> group:Administrators:rwx
>>>> group:Users:r-x
>>>> mask:rwx
>>>> other:r--

And you probably also have inherited ACLs set on the directory
containing abc.  If you change the directory's ACLs to quit giving
inherited rights to all new files created in that directory, then new
files won't have ACLs that allow execution for SYSTEM, Administrators,
and Users, even when it does not allow execution for the owner, owning
group, or world.

>=20
> I wonder what is the behavior on any other system.  Is there anyone with=
=20
> a variant of Unix or Linix with ACLs set up to do the same test?

On Linux:

$ setfacl -m mask:rwx d/f
$ getfacl d/f
# file: d/f
# owner: eblake
# group: eblake
user::rw-
user:dummy:rwx
group::rw-
mask::rwx
other::r--

$ chmod -x d/f
$ getfacl d/f
# file: d/f
# owner: eblake
# group: eblake
user::rw-
user:dummy:rwx			#effective:rw-
group::rwx			#effective:rw-
mask::rw-
other::r--

Interestingly - that means that on Linux, chmod -x changed the mask
entry of the ACLs, such that the effective permissions for the alternate
user are no longer permitted; so even though user dummy has rwx ACLs,
the mask prevents the user from executing the file any more.

Cygwin does not emulate Linux in this regards at the moment, but now
that you have pointed out a simple test case, it may be possible to
patch cygwin1.dll to make the chmod() syscall affect the ACL mask as on
Linux.

> Maybe there is any de facto standard?

ACLs are tricky beasts.  At one point they were proposed for
standardization in POSIX (1003.1e draft 17), but that was withdrawn, so
there's no common document to point to when describing how they should
work.  There are at least 5 known variations of OS interfaces to acls
covered in the gnulib code that underlies coreutils' efforts to preserve
ACLs when using cp -p.  Cygwin's version borrowed more from Solaris'
heritage than Linux.

--=20
Eric Blake   eblake AT redhat DOT com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org


--------------enigE6A0353A075D3C2659247013
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJM1DdAAAoJEKeha0olJ0NqiKQH/1qMz3WS/n7RVP4GD+7T86AU
79jruXe8Ps0ZmEYLCqcoiBlLpSdftfAbpKBDENQAEVOh4B5fbl2LjVNZzeI7dJg0
EinrLFa58qu9WVBjZToa0EHbEokHBZsQZNt06TY+J7l6Tvb/DBqcgdrtah9J03VJ
IiOXdOfrd/dw0KO9TwOVBF1KyKU09IDV2mO+ourQeCqlFFvK8/eULJZIisNbQzfQ
lr48+8i8hS9xjfk0kyeI0Nl4IFOPAu1M2vGwNgxItbHlpSOmm26FSlP9XbLo7/Aq
FTE4gtVKYNYHBbbf2XK/NicXIu3AlaUaGMXHNDNTgqBYSHgubJGnqtiYvoWW28c=
=B0Jy
-----END PGP SIGNATURE-----

--------------enigE6A0353A075D3C2659247013--