X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:to:from:subject:date:message-id:references :mime-version:content-type:content-transfer-encoding; q=dns; s= default; b=lA099+7VnFet++vLM1r1hwLTGDyv4VYkHYjNx9ihRqETYcNTyZrhW tjkCfBnbmgr38tHN0c9WQUw6ii7+UnLeqbpSFGNGUwUOdAuslvNZHyRa/4eUY1iX hm3LoVSvdZpUGj+8jCHcHBRn5jTTWJs1DU1kgzjo8nnKrr5iM9UYqo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:to:from:subject:date:message-id:references :mime-version:content-type:content-transfer-encoding; s=default; bh=Oo4CF8B52c5EpSEjf5eQArD7gMk=; b=Yl+30eh/tpBFglmowCDLKRReP5sD 2/GmzObS06Tuj/17JLU2/4bpcCA1ztLel5G7tJZCpXJLM851gCD+1snaMsfbZ9QW UoTOquRWDT5kERvRUuevXO9T6aIUzEEvlxMs6aFv4WMVXHIPdpMrPpfrohVs3TPP ntySgHdmrCTUr9U= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.7 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 X-HELO: plane.gmane.org To: cygwin AT cygwin DOT com From: Kurt Franke Subject: Re: Security Settings for directories created in Cygwin (+ executable bit on files) Date: Tue, 12 Aug 2014 10:51:00 +0000 (UTC) Lines: 92 Message-ID: References: <86wqajxtm9 DOT fsf AT somewhere DOT org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit User-Agent: Loom/3.14 (http://gmane.org/) X-IsSubscribed: yes Sebastien Vauban writes: > Currently, whenever I create new files from Windows 8 executables (such > as Notepad), they're often flagged as "executable", even for text files! > > I've noticed that such a behavior happens when I create a new file in > a directory that has been made FROM CYGWIN (`mkdir ~/test/', for > example). > > Indeed, the permissions of CYGWIN-CREATED DIRECTORIES seem very weird: > > - "Inherited from"... "None"! > > - "All Users" having "Read & Execute" permission on "this folder, > subfolders and FILES"... > > IIUC, when creating a new file from Cygwin, the `umask' (022, in my > case) is respected and new files are not executables then, except if > I require it explicitly (via `chmod'). > > Though, when creating a new file from a Windows executable, Windows > inherits permissions from the folder where my file gets created -- > hence, an executable permission if the directory was created from > Cygwin... > > How to correct that? > > Asking Cygwin to stop playing with the Windows ACL, by mounting my > personal directories as "noacl"? Well, that means I won't be able to > use `chmod' anymore, for setting a script file as "executable", then. > And I'll have to use a Windows tool to do so, such as `cacls'. ... Hello, there is a possibility to get bettter permission settings on files created by a windows program inside a directory created by cygwin. you must create special ACE's on this directory like in the following example with german names used in one of my scripts: icacls "$dir" /remove ERSTELLER-BESITZER icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)' icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)' icacls "$dir" /remove ERSTELLERGRUPPE icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)' icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)' icacls "$dir" /remove Jeder icacls "$dir" /grant 'Jeder:(RX)' icacls "$dir" /grant 'Jeder:(OI)(IO)(R)' icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)' It creates different Default ACE's for files an directories and these will be inherited correctly when using non-cygwin-windows programs. For dirctories the execute permission is inherited b ut for files it is not inherited. In cygwin-programs the umask is used and executable flags are not requested for files which are not executables where the compiler wil do this. All works correctly in both windows-only programs and cygwin programs unless creating a subdirectory by cygwin - this will not inherit those special default ACE's to apply only to directories or only to files and thus this behaviour is lost in a subdirectory created via cygwin. On the other hand, in cygwin directory creation simple default ACE's which are to be applied on all directories and files are inhereted to subdirectories. Thus personally I use those special ACE's on directories only in the SVN (windows program) tree created by checkout to avoid execute permissions on files. when creating a new directory there which is generally done via cygwin I add the listed ACE's via script. To have those DEFAULT ACE's of general use for integration of cygwin and windows without always executing a script after creating a new directory in cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in cygwin directory creation also, not onle the simple ones. A drawback for this may be the fact the gefacl/setfacl utilities does not understand those ACE's and thus don't show / don't set it. regards kf -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple