X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding; q=dns; s=
	default; b=lA099+7VnFet++vLM1r1hwLTGDyv4VYkHYjNx9ihRqETYcNTyZrhW
	tjkCfBnbmgr38tHN0c9WQUw6ii7+UnLeqbpSFGNGUwUOdAuslvNZHyRa/4eUY1iX
	hm3LoVSvdZpUGj+8jCHcHBRn5jTTWJs1DU1kgzjo8nnKrr5iM9UYqo=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding; s=default;
	 bh=Oo4CF8B52c5EpSEjf5eQArD7gMk=; b=Yl+30eh/tpBFglmowCDLKRReP5sD
	2/GmzObS06Tuj/17JLU2/4bpcCA1ztLel5G7tJZCpXJLM851gCD+1snaMsfbZ9QW
	UoTOquRWDT5kERvRUuevXO9T6aIUzEEvlxMs6aFv4WMVXHIPdpMrPpfrohVs3TPP
	ntySgHdmrCTUr9U=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.7 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2
X-HELO: plane.gmane.org
To: cygwin AT cygwin DOT com
From: Kurt Franke <Kurt-Franke AT web DOT de>
Subject: Re: Security Settings for directories created in Cygwin (+ executable bit on files)
Date: Tue, 12 Aug 2014 10:51:00 +0000 (UTC)
Lines: 92
Message-ID: <loom.20140812T122015-809@post.gmane.org>
References: <86wqajxtm9 DOT fsf AT somewhere DOT org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
User-Agent: Loom/3.14 (http://gmane.org/)
X-IsSubscribed: yes

Sebastien Vauban <sva-news@...> writes:

> Currently, whenever I create new files from Windows 8 executables (such
> as Notepad), they're often flagged as "executable", even for text files!
> 
> I've noticed that such a behavior happens when I create a new file in
> a directory that has been made FROM CYGWIN (`mkdir ~/test/', for
> example).
> 
> Indeed, the permissions of CYGWIN-CREATED DIRECTORIES seem very weird:
> 
> - "Inherited from"... "None"!
> 
> - "All Users" having "Read & Execute" permission on "this folder,
>   subfolders and FILES"...
> 
> IIUC, when creating a new file from Cygwin, the `umask' (022, in my
> case) is respected and new files are not executables then, except if
> I require it explicitly (via `chmod').
> 
> Though, when creating a new file from a Windows executable, Windows
> inherits permissions from the folder where my file gets created --
> hence, an executable permission if the directory was created from
> Cygwin...
> 
> How to correct that?
> 
> Asking Cygwin to stop playing with the Windows ACL, by mounting my
> personal directories as "noacl"?  Well, that means I won't be able to
> use `chmod' anymore, for setting a script file as "executable", then.
> And I'll have to use a Windows tool to do so, such as `cacls'.
...

Hello,

there is a possibility to get bettter permission settings on files created
by a windows program inside a directory created by cygwin.
you must create special ACE's on this directory like in the following
example with german names used in one of my scripts:

icacls "$dir" /remove ERSTELLER-BESITZER
icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)'
icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)'
icacls "$dir" /remove ERSTELLERGRUPPE
icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)'
icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)'
icacls "$dir" /remove Jeder
icacls "$dir" /grant 'Jeder:(RX)'
icacls "$dir" /grant 'Jeder:(OI)(IO)(R)'
icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)'

It creates different Default ACE's for files an directories and these will
be inherited correctly when using non-cygwin-windows programs. For
dirctories the execute permission is inherited b ut for files it is not
inherited.

In cygwin-programs the umask is used and executable flags are not requested
for files which are not executables where the compiler wil do this.

All works correctly in both windows-only programs and cygwin programs unless
creating a subdirectory by cygwin - this will not inherit those special
default ACE's to apply only to directories or only to files and thus this
behaviour is lost in a subdirectory created via cygwin.

On the other hand, in cygwin directory creation simple default ACE's which
are to be applied on all directories and files are inhereted to subdirectories.

Thus personally I use those special ACE's on directories only in the SVN
(windows program) tree created by checkout to avoid execute permissions on
files. when creating a new directory there which is generally done via
cygwin I add the listed ACE's via script.

To have those DEFAULT ACE's of general use for integration of cygwin and
windows without always executing a script after creating a new directory in
cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in
cygwin directory creation also, not onle the simple ones.
A drawback for this may be the fact the gefacl/setfacl utilities does not
understand those ACE's and thus  don't show / don't set  it.


regards

kf











--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple