X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=sY9D2JRP/TWO+efHVQrDdUR9ZBL2gJblZ/0QsL+qiLWkz07k6uKkF
	cz0IWK+1j1tIGF47gQAETnQCkF5WmMQNM7yo7EFo3UNoyoSL0OUv2nhukdnN1SZH
	Rp31a9GPgHpmV3pWaJqe30AVOV1RIwZzy9oOdtukogl81ZSECm/S2Q=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=ucv+bDcdpsQB3G/EI0NxYsEMALM=; b=IGc7HsgsH/pHv2hrleYy7p3e1Of0
	Yxt9EBOwDW3WV9NE9qM0Bp385kOe4emUHWOIoN/2WGz+GR3sThvlXEQzJPTR7B4U
	oARCZbAUSnCNRTSZj3yuE3PJTXFiq+RXtgDxMNUaGBPqLOwdTPnKv2gfMJ9VW8eT
	tD3M6qknKhIEvHg=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-4.4 required=5.0 tests=AWL,BAYES_00,TBC autolearn=no version=3.3.2
X-HELO: calimero.vinschen.de
Date: Tue, 10 Feb 2015 13:32:31 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: group permissions
Message-ID: <20150210123231.GC2866@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <54D7EB4E DOT 6020105 AT towo DOT net> <20150209091445 DOT GA10457 AT calimero DOT vinschen DOT de> <54D91687 DOT 8090301 AT towo DOT net> <20150210092122 DOT GA15989 AT calimero DOT vinschen DOT de> <loom DOT 20150210T123910-919 AT post DOT gmane DOT org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;	protocol="application/pgp-signature"; boundary="nVMJ2NtxeReIH9PS"
Content-Disposition: inline
In-Reply-To: <loom.20150210T123910-919@post.gmane.org>
User-Agent: Mutt/1.5.23 (2014-03-12)

--nVMJ2NtxeReIH9PS
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Feb 10 11:48, Achim Gratz wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > Here's the problem:  Windows doesn't support an ACL_MASK entry, nor
> > anything even remotely resembling it.
>=20
> Right.  And pretending that it does is doing more harm than good, IMHO.
>=20
> > o The other way to emulate writing an ACL_MASK entry would be to drop
> >   permissions from all groups and secondary users so they match the
> >   desired mask value.  This is secure, but in contrast to the other
> >   solution it would change the secondary permissions permanently.
> >   Changing the mask back would not change the permissions of the
> >   secondary ACL entries back.
>=20
> Please note that that the typical user in a corporate environment has no
> rights to do this on network shares and even if (s)he did, it would quite
> often break things for other users and is certain to draw the ire of the
> share administrators just as if you'd do the same thing via WIndows' own
> tools.  So please do not do this by default, there are just too many scri=
pts
> that blindly use some chmod somewhere.
>=20
> > o Cygwin could emulate the mask by adding an Access-denied ACE for the
> >   authenticated user SID (S-1-5-11) right after the primary group entry.
> >   The permission in this ACE are the x'or value of the permissions
> >   given in the mask.  Such an ACL would basically look like this:
>=20
> Same issue as above, except it would be more easily reversible.

The permissions to change the ACL are not overly relevant here.  The
reason is, if the user has no permissions to write the DACL, it won't be
able to chmod anyway.  So, whatever we do to implement ACL_MASK, it's ok
even in a corp env, because the user apparently has the right to change
the DACL and thus it doesn't matter.

> If anybody feels really strongly about these issues, they can always mount
> "noacl".  We'll just have to live with how Windows implements ACL otherwi=
se.

True.  Noacl mounts are the way to go in case of what you describe,
having no perms to write the DACL, even if the files are owned by
the user.


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--nVMJ2NtxeReIH9PS
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU2fpeAAoJEPU2Bp2uRE+g298QAIMo8YiZ75KHbV69boHX4Txr
QY8fQk1a2Bmf3wwYB95CnxS7nmB8XjOSViWxd1iH7hW7am0hL9jB1egz7ka3W2Qc
gokSMNsyRaaH4gqn2LEVHBS1UizRSvsqmgAJjoyTXI3ZqvSQP7qvsnkQn/1+98qy
7h/ZrjAvrg2A/1YHfbCrign5sKRByC1g9nGfyWjqrO0V2N4VTCX5KIlDbGkoTrME
N8C8lquo3n8LS4t0rSVTkyPEy4DKEQaCKnxy6Deo/mYqKzdDeXq71hXt35+AW2YA
JcTMDmur42O9yBJBy4h95+fBT7p9TPPNJCnpzP0ZRV9fV88SiU2wUUlOogHhh4uy
VddcSBGir+FUXPIU5YGKqOji8p2D7xNJ6uMetDcqjfXeuvCobbC1RHAlVSDFPzwp
L00Fy/AuhJiTTMVHdxEWjSDoMAmP4aYXSSnH4e54DI893adR1LOImI/PnpEZXrdp
yNtSGT8werXCzIWufAX5/dAEZqMdXrh7N4QVBm5s9vnsOJG8maMNi8+zWgY9gsGY
aCPZBhJkj1PMeSOzU829uPGShAnksBCC0l2HnOIBfukOAuq1aOF7b26/Y+4iGhAt
pHves9sML2Z8SpY/fnRa20WnWd0ztJHBFdRhuXi6yarOyjU4wAcJom2Mp4LkuHP+
VloYjaHFnks2EVEj9cuz
=TBGN
-----END PGP SIGNATURE-----

--nVMJ2NtxeReIH9PS--