X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding; q=dns; s=
	default; b=qJ6a0i3P+zZos93erg4FdsEis9/ui4bPblkU83CHIAyppAuM3wfDr
	hovAzPOTp7QLlshkulvzgCHQlNWaWMvlMah5IlSKxzrwhgYwJLIlzZPQ1lCToKob
	794C90idKVZXL04tPBkLxxfNrm+IlcCQt6rfN+ADm0wAgrhm7mBQ+4=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding; s=default;
	 bh=6oVlbWtUTgC1VDUWpHoL3VmE6Vc=; b=TKbOK0tYkbUsuaTwwcP/fFi0PqKR
	dPFR/68JjA9i5NFL40BlAxOKdA+2JQYU9j5gWrP0hCC4XjPL69iyIObR16v7BOcu
	N86lR8fWq1LE5XrSu5Q4WJT0TAgxRjKUFRULEpt/FloIBBjrC3CKpr/QVeZyTJig
	4D72DosExJbsz34=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-4.7 required=5.0 tests=AWL,BAYES_00,FSL_HELO_BARE_IP_2,RCVD_IN_DNSWL_LOW,RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: plane.gmane.org
To: cygwin AT cygwin DOT com
From: Achim Gratz <Stromeko AT NexGo DOT DE>
Subject: Re: group permissions
Date: Tue, 10 Feb 2015 11:48:49 +0000 (UTC)
Lines: 33
Message-ID: <loom.20150210T123910-919@post.gmane.org>
References: <54D7EB4E DOT 6020105 AT towo DOT net> <20150209091445 DOT GA10457 AT calimero DOT vinschen DOT de> <54D91687 DOT 8090301 AT towo DOT net> <20150210092122 DOT GA15989 AT calimero DOT vinschen DOT de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
User-Agent: Loom/3.14 (http://gmane.org/)
X-IsSubscribed: yes

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> Here's the problem:  Windows doesn't support an ACL_MASK entry, nor
> anything even remotely resembling it.

Right.  And pretending that it does is doing more harm than good, IMHO.

> o The other way to emulate writing an ACL_MASK entry would be to drop
>   permissions from all groups and secondary users so they match the
>   desired mask value.  This is secure, but in contrast to the other
>   solution it would change the secondary permissions permanently.
>   Changing the mask back would not change the permissions of the
>   secondary ACL entries back.

Please note that that the typical user in a corporate environment has no
rights to do this on network shares and even if (s)he did, it would quite
often break things for other users and is certain to draw the ire of the
share administrators just as if you'd do the same thing via WIndows' own
tools.  So please do not do this by default, there are just too many scripts
that blindly use some chmod somewhere.

> o Cygwin could emulate the mask by adding an Access-denied ACE for the
>   authenticated user SID (S-1-5-11) right after the primary group entry.
>   The permission in this ACE are the x'or value of the permissions
>   given in the mask.  Such an ACL would basically look like this:

Same issue as above, except it would be more easily reversible.

If anybody feels really strongly about these issues, they can always mount
"noacl".  We'll just have to live with how Windows implements ACL otherwise.


Regards,
Achim,


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple