X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=Q5eJOqM/2jyDw/CDOnSTsMvd2R9arRUFOJsvvKWagMkhDu/vX4Ppe
	rZ0qEEiSS0lY183q72rZfipfQV1cnP6wKW+BG4C+LuczJ+saENUm1gwQdHNKAAua
	vF4uxuKF0KOS+bODGe4jQBUu2qQOWLh08aL0ggefVJDymDDCIXvFLk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=3MwqpYV9fnx5uSW+1QDK28DfhoQ=; b=cQua5U+fb41Nq8B0Kr4/BQGtHq1S
	JNH5u+EQUIPgjUtM+POcHdgOPRroD3qAAaaMaKKEUxJBPaEm42wnAQQeaP4zkGJw
	3kjJFaI+PgCGsoGqOa123AjWkqY0nhSFGL49YcAEG8A0YFsh4vV52BF9dFGoBglH
	imJmLdUFho5XLFs=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2
X-HELO: calimero.vinschen.de
Date: Tue, 12 Aug 2014 14:55:13 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Security Settings for directories created in Cygwin (+ executable bit on files)
Message-ID: <20140812125513.GE21106@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <86wqajxtm9 DOT fsf AT somewhere DOT org> <loom DOT 20140812T122015-809 AT post DOT gmane DOT org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;	protocol="application/pgp-signature"; boundary="ylS2wUBXLOxYXZFQ"
Content-Disposition: inline
In-Reply-To: <loom.20140812T122015-809@post.gmane.org>
User-Agent: Mutt/1.5.23 (2014-03-12)

--ylS2wUBXLOxYXZFQ
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Aug 12 10:51, Kurt Franke wrote:
> Sebastien Vauban <sva-news@...> writes:
> > [...]
> > Asking Cygwin to stop playing with the Windows ACL, by mounting my
> > personal directories as "noacl"?  Well, that means I won't be able to
> > use `chmod' anymore, for setting a script file as "executable", then.
> > And I'll have to use a Windows tool to do so, such as `cacls'.
> ...
>=20
> Hello,
>=20
> there is a possibility to get bettter permission settings on files created
> by a windows program inside a directory created by cygwin.
> you must create special ACE's on this directory like in the following
> example with german names used in one of my scripts:
>=20
> icacls "$dir" /remove ERSTELLER-BESITZER
> icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)'
> icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)'

That's "CREATOR OWNER" in english systems.

> icacls "$dir" /remove ERSTELLERGRUPPE
> icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)'
> icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)'
> icacls "$dir" /remove Jeder
> icacls "$dir" /grant 'Jeder:(RX)'
> icacls "$dir" /grant 'Jeder:(OI)(IO)(R)'
> icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)'

"CREATOR GROUP"

> It creates different Default ACE's for files an directories and these will
> be inherited correctly when using non-cygwin-windows programs. For
> dirctories the execute permission is inherited b ut for files it is not
> inherited.
> [...]
> To have those DEFAULT ACE's of general use for integration of cygwin and
> windows without always executing a script after creating a new directory =
in
> cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in
> cygwin directory creation also, not onle the simple ones.
> A drawback for this may be the fact the gefacl/setfacl utilities does not
> understand those ACE's and thus  don't show / don't set  it.

It complicates handling of default permissions in the acl system
calls a lot.  You'd have to handle two CREATOR OWNER ACEs as a single
"default:user" entry.  Same for "CREATOR GROUP".  I'm not saying this is
impossible to implement, just that it's a good amount of work.

http://cygwin.com/acronyms/#PGA


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--ylS2wUBXLOxYXZFQ
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJT6g6xAAoJEPU2Bp2uRE+gtHsQAIP1i3Cgl7xAUGBqYzqQQGj8
AASNNSxAndykswp4e6UqIrQzCME/lROR/tqpENog7dCxNsSaYSlj4DiKrNoIM5m0
ENkhcplzqEp6aiFpqZYy+P7N60gc9aUfiJOvKjBMOcIKiHKoiCk15PllbUZqVfMG
ESZPnbIv+DEaDL3xANbqawU/C76zxXHamJOhKBcc74l7cRTKT2qj2w/UmIlRc9jx
332mj/f3s9xsoADH65WDTYJJMFdPKkioeyl98KDjwqdO6wjq0NZ/X9eyVn9qsiE7
UASGzEwbPjrEja13lTYXIsFkVmBeDYylQk1X8IudYsXCDXWpcyRyinT2aY8puvzA
GcvciuXmLVrtOiW0PaH/sV9B0mq6zdpSmvK7P8ij9ORwu7/zDmnloFMx+0+TTT78
2hgpdGlimh7ejWVnEKN1jJ0V5JdRTmPFU/K/TN5gB7ifWkJ20jvWwJe3WVFEdPZi
US2QvSiMtI9WMQXFlJStnQKKA7cR5wTLsgKiSmw5HcCzj2GRZEWpsaqEJCAFdchf
v90tkkDcJQKs9lRTJR/EC0Uo+L77+voF79q/q0Ds8tcWr6M5p+UtEUh3cMtdV+VS
DUWBxfToqcOBl3jYS/rupGh5LdcxX4sex8i6ZyLbZN2f/Rfk/tyZFGTXlgDtTLfC
7iU8DMRp0xpFEFYqbzSo
=vlVt
-----END PGP SIGNATURE-----

--ylS2wUBXLOxYXZFQ--