X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=aSrKSCFYp4wFbPmTs5cvVLInOUs8A2uQ4Dkg5Drk5yc
	F08TJ1G4bLYxmHAdU478J9CkbrLS9yng/pGbUlNd5gUNTknLThD5IOVJOG/hteyS
	pAJZm/6Pko8AVKp2syzaEnddokN7wFgcSc7tlYTOubELa4mj79CoAlEsc5roeDts
	=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 s=default; bh=NucRTRr50IiXcxMPVJhMdKSpj+o=; b=kt/Ajux9v4XfWDoWH
	XELfWTyWRG8x1LoVzctshi3Upi5BBAnbO+mZ+vikzA5xQKuAMYghL3IckxNkr3x7
	pv80ijOKfEKhEg4pjhL0VB/fvp6RyhAM51jTuVI3/wYET+s6Sz3BLqfzhA4ASCJn
	iNMgvEzd8w2gu++4kwk8dM9jWU=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.8 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2
X-HELO: mout.kundenserver.de
Message-ID: <54D91687.8090301@towo.net>
Date: Mon, 09 Feb 2015 21:20:23 +0100
From: Thomas Wolff <towo AT towo DOT net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: group permissions
References: <54D7EB4E DOT 6020105 AT towo DOT net> <20150209091445 DOT GA10457 AT calimero DOT vinschen DOT de>
In-Reply-To: <20150209091445.GA10457@calimero.vinschen.de>
X-TagToolbar-Keys: D20150209212022811
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-UI-Out-Filterresults: notjunk:1;
X-IsSubscribed: yes

Am 09.02.2015 um 10:14 schrieb Corinna Vinschen:
> On Feb  9 00:03, Thomas Wolff wrote:
>> With 1.7.34-6:
>>> - the fixes in POSIX ACL handling and the effect this has on the standard
>>>      POSIX group permissions, as well as the accompanying new setfacl(1)
>>>      options -b/--remove-all and -k/--remove-default.
>>>
>>> Seehttps://cygwin.com/cygwin-ug-net/using-utils.html#setfacl
>>> andhttps://cygwin.com/faq.faq.html#faq.using.ssh-pubkey-stops-working
>>> andhttps://cygwin.com/faq.faq.html#faq.using.same-with-rhosts
>> Group permissions are now composed of multiple ACL entries, like:
>> -rw-rwx---+ 1 towo Domain Users   128 Feb  5 13:36 x
>> with ACL:
>> # file: x
>> # owner: towo
>> # group: Domain Users
>> user::rw-
>> group::r-x
>> group:SYSTEM:rwx
>> mask:rwx
>> other:---
>>
>> chmod g-wx does not work on x, only after setfacl -d group:SYSTEM x ,
>> the g-w bit is gone.  This is surprising behaviour (and has been
>> discussed in a specific context in another thread); the explanation is
>> hidden in only roughly related sections of the user guide (setfacl) or
>> even the FAQ, and is not found in the section Permissions and Security
>> where one would look first; I suggest to add an illustrative section
>> there.
> Yes, sure, why not.  Any idea for a patch?
>
>> However, I am not yet convinced that the explanation makes it less
>> surprising from a POSIX point of view because the file does not have
>> the group 'SYSTEM' which is responsible for the g+wx flags.  Maybe ls
>> -l should display a more permissive group (in the example case SYSTEM
>> rather than Domain Users) to give the user a hint? How is this handled
>> on other ACL systems? (I can check next week.)
> ls shows the primary group of the file and that's not going to change.
> The hint that more permissions are given is the '+' sign appened to the
> permission bits.
I checked on a Ubuntu system where behaviour is more intuitive by some 
functionally added by chmod; it implicitly modifies the “mask” entry to 
achieve exactly the effect most likely to be desired by chmod (showing 
only the group-relevant output lines of getfacl below):

Cygwin:

 > ls -l x; getfacl x
-rw-r--r-- 1 me Domain Users 0 Feb  9 15:04 x
group::r--

 > setfacl -m group:Users:rwx x
 > ls -l x; getfacl x
-rw-rwxr--+ 1 me Domain Users 0 Feb  9 15:04 x
group::r--
group:Users:rwx
mask:rwx

 > chmod g-wx x
 > ls -l x; getfacl x
-rw-rwxr--+ 1 me Domain Users 0 Feb  9 15:04 x
group::r--
group:Users:rwx
mask:rwx


Ubuntu:

 > ls -l x; getfacl x
-rw-r--r-- 1 xubuntu xubuntu 0 Feb  9 15:04 x
group::r--

 > setfacl -m group:adm:rwx x
 > ls -l x; getfacl x
-rw-rwxr--+ 1 xubuntu xubuntu 0 Feb  9 15:04 x
group::r--
group:adm:rwx
mask:rwx

 > chmod g-wx x
 > ls -l x; getfacl x
-rw-r--r--+ 1 xubuntu xubuntu 0 Feb  9 15:04 x
group::r--
group:adm:rwx                   #effective:r--
mask:r--


------
Thomas

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple