X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:subject:from:to:mime-version :content-type; q=dns; s=default; b=GMe5gfBRlb5VxZM+lq+Tzv5nxonyI fxAjG2T2A9UgG6lVKSHojvucHE/9NKiT+YBj0k+PTi47xhmOFX4BhEOER4605ALy 74lFYgRAv5dix0A6v3jXqPF3/38jCbj8q+dWt8Kwi7YaOwcwmC55h+Y8r3gT5u02 ii0PdljLEfiAtA= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:subject:from:to:mime-version :content-type; s=default; bh=rDJkEZmCQvKOjpFfnTf0hNjrtqo=; b=Rbk 1oe0vkPnNuQpue6/fxEZV4rRnttZPnZI3xlQAy8vWqjkFSi5BFTEbtG5Rh7rjNKj gJxnNwDy6hLj4C+jRSM+Lbqop+FO7HSVnKWrzm6cMFDmqnJrtFwBwi9JDriKSmAk VgCf/tQk+qK/GymBpTBVOjn8Eqt5tRLZGeWpWmNY= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.1 required=5.0 tests=AWL,BAYES_40,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 X-HELO: lb2-smtp-cloud2.xs4all.net Message-ID: <8c468e18fb38e4fd8e5a5eb5a80470d5.squirrel@webmail.xs4all.nl> Date: Mon, 16 Feb 2015 14:21:37 +0100 Subject: setfacl: root of all evil? From: "Houder" To: cygwin AT cygwin DOT com User-Agent: SquirrelMail/1.4.18 MIME-Version: 1.0 Content-Type: multipart/mixed;boundary="----=_20150216142137_53901" X-IsSubscribed: yes ------=_20150216142137_53901 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Hi Corinna, Yes, sorry, setfacl again ... Now, I am NOT an expert on Windows (I do not want to be), and I realize, that I am in the company of experts on Windows (on Windows ACL) here, so it is inevitable, that I will be out of my league below, and speak "errorneously" about Windows ACL. Nevertheless, the reason for my post is that setfacl FAILS, where chmod SUCCEEDS ... Over the years (XP) my "Posix" trees (Cygwin) looked like this: @@ uname -a CYGWIN_NT-6.1-WOW Seven 1.7.35(0.286/5/3) 2015-02-12 20:59 i686 Cygwin @@ mkdir T @@ icacls T @@ getfacl T @@ ls -ld T T Seven\Henri:(F) # file: T drwxr-xr-x+ 1 Henri None 0 ... T Seven\None:(RX) # owner: Henri Everyone:(RX) # group: None CREATOR OWNER:(OI)(CI)(IO)(F) user::rwx CREATOR GROUP:(OI)(CI)(IO)(RX) group::r-x Everyone:(OI)(CI)(IO)(RX) other:r-x default:user::rwx default:group::r-x default:other:r-x @@ touch T/aap @@ icacls T/aap @@ getfacl T/aap @@ ls -l T/aap T/aap Seven\Henri:(R,W,D,WDAC,WO) # file: T/aap -rw-r--r-- 1 Henri None 0 ... T/aap Seven\None:(R) # owner: Henri Everyone:(R) # group: None user::rw- group::r-- other:r-- @@ chmod 755 T/aap @@ icacls T/aap @@ getfacl T/aap @@ ls -l T/aap T/aap Seven\Henri:(M,WDAC,WO) # file: T/aap -rwxr-xr-x 1 Henri None 0 ... T/aap Seven\None:(RX) # owner: Henri Everyone:(RX) # group: None user::rwx group::r-x other:r-x This "standard" has served me well ... I did not have to fight with mkdir, chmod, etc ... And the occasional Windows generated file did not fall "out of tune" too much. Moreover, after extraction of a .zip file in one of my "Posix" directories, it was fairly easy to reset the permissions of the extracted files (and directories), using setfacl. Currently, using this procedure, setfacl fails ... My investigation into the cause of this failure, eventually led me to simple test cases in which setfacl fails, but where chmod succeeds. (more details, if needed, in attached files) Basically, setfacl removes "write attributes" from the file owner (where chmod does not). (also: setfacl makes the creator owner loose rights -- in comparison to chmod) RFC :-) Henri ----- setfacl/file @@ pwd # bash NOT elevated /drv/e @@ mkdir T @@ touch T/aap @@ setfacl -s u::r--,g::r--,o:r-- T/aap @@ setfacl -s u::rw-,g::r--,o:r-- T/aap setfacl: Permission denied @@ chmod 644 T/aap chmod: changing permissions of ‘T/aap’: Permission denied @@ touch T/aap touch: cannot touch ‘T/aap’: Permission denied @@ rm T/aap /bin/rm: remove write-protected regular empty file ‘T/aap’? y @@ ls -l T/aap ls: cannot access T/aap: No such file or directory @@ ----- chmod/file @@ pwd # bash NOT elevated /drv/e @@ mkdir T @@ touch T/aap @@ icacls T/aap T/aap Seven\Henri:(R,W,D,WDAC,WO) Seven\None:(R) Everyone:(R) Successfully processed 1 files; Failed processing 0 files @@ chmod u-w T/aap @@ icacls T/aap T/aap Seven\Henri:(R,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here) Seven\None:(R) Everyone:(R) Successfully processed 1 files; Failed processing 0 files @@ chmod u+w T/aap @@ icacls T/aap T/aap Seven\Henri:(R,W,D,WDAC,WO) Seven\None:(R) Everyone:(R) Successfully processed 1 files; Failed processing 0 files @@ touch aap @@ ----- setfacl/directory @@ pwd # bash NOT elevated /drv/e @@ mkdir T @@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T @@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T setfacl: Permission denied @@ chmod 755 T chmod: changing permissions of ‘T’: Permission denied @@ rmdir T @@ ls -ld T ls: cannot access T: No such file or directory ----- chmod/directory @@ pwd /drv/e @@ mkdir T @@ chmod u-w T @@ icacls T T Seven\Henri:(RX,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here) Seven\None:(RX) Everyone:(RX) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(RX) Everyone:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@ chmod u+w T @@ icacls T T Seven\Henri:(F) Seven\None:(RX) Everyone:(RX) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(RX) Everyone:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@ ===== ------=_20150216142137_53901 Content-Type: text/plain; name="run-setfacl-sucks-file.txt" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="run-setfacl-sucks-file.txt" setfacl sucks ... List of commands: - mkdir T - touch T/aap - setfacl -s u::r--,g::r--,o:r-- T/aap ## inadvertently removes "write attributes" from the file owner - setfacl -s u::rw-,g::r--,o:r-- T/aap # denied - chmod 644 T/aap # denied ... Euh? Why, why, why ????? - touch T/aap # denied - rm T/aap - ls -l T/aap Summary: setfacl fails to reinstate 'write access' to file (in contrast to chmod) Diagnostics: -- request for comments (RFC) - setfacl should NOT remove "write attributes" from the FILE OWNER (chmod does not) - chmod u-w ONLY - removes create file/write data - removes create folders/append data - removes write extended attributes from the FILE OWNER Also applies to setfacl -b @@ pwd # bash NOT elevated /drv/e @@ mkdir T @@ touch T/aap @@ setfacl -s u::r--,g::r--,o:r-- T/aap @@ setfacl -s u::rw-,g::r--,o:r-- T/aap setfacl: Permission denied @@ chmod 644 T/aap chmod: changing permissions of â€˜T/aapâ€™: Permission denied @@ touch T/aap touch: cannot touch â€˜T/aapâ€™: Permission denied @@ rm T/aap /bin/rm: remove write-protected regular empty file â€˜T/aapâ€™? y @@ ls -l T/aap ls: cannot access T/aap: No such file or directory @@ ----- @@# pwd # bash ELEVATED /drv/e @@# mkdir T @@# touch T/aap @@# setfacl -s u::r--,g::r--,o:r-- T/aap @@# icacls T/aap T/aap Seven\Henri:(R,D,WDAC,WO) Seven\None:(R) Everyone:(R) Successfully processed 1 files; Failed processing 0 files @@# setfacl -s u::rw-,g::r--,o:r-- T/aap @@# icacls T/aap T/aap Seven\Henri:(R,W,D,WDAC,WO) Seven\None:(R) Everyone:(R) Successfully processed 1 files; Failed processing 0 files @@# ----- same sequence of commands, using icacls to diagnose @@ pwd /drv/e @@ icacls . . Seven\Henri:(F) Seven\None:(RX) Everyone:(RX) Everyone:(OI)(CI)(IO)(RX) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@ mkdir T @@ icacls T T Seven\Henri:(F) Seven\None:(RX) Everyone:(RX) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(RX) Everyone:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@ touch T/aap @@ icacls T/aap T/aap Seven\Henri:(R,W,D,WDAC,WO) Seven\None:(R) Everyone:(R) Successfully processed 1 files; Failed processing 0 files @@ setfacl -s u::r--,g::r--,o:r-- T/aap @@ icacls T/aap T/aap Seven\Henri:(R,D,WDAC,WO) # <==== Note: lost W, but failed to get WA in stead (chmod does!) Seven\None:(R) Everyone:(R) Successfully processed 1 files; Failed processing 0 files @@ setfacl -s u::rw-,g::r--,o:r-- T/aap setfacl: Permission denied @@ chmod 644 T/aap chmod: changing permissions of â€˜T/aapâ€™: Permission denied @@ touch T/aap touch: cannot touch â€˜T/aapâ€™: Permission denied @@ icacls T T Seven\Henri:(F) Seven\None:(RX) Everyone:(RX) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(RX) Everyone:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@ rm T/aap /bin/rm: remove write-protected regular empty file â€˜T/aapâ€™? y @@ ls -l T/aap ls: cannot access T/aap: No such file or directory @@ ----- same sequence of commands, but now using Helge Klein's SetACL to diagnose - https://helgeklein.com/setacl @@ pwd /drv/e @@ hk-getfacl.sh . Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://. DACL(protected): Seven\Henri full allow no_inheritance Seven\None read_execute allow no_inheritance Everyone read_execute allow no_inheritance Everyone read_execute allow container_inherit+object_inherit+inherit_only CREATOR OWNER full allow container_inherit+object_inherit+inherit_only CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only SetACL finished successfully. @@ mkdir T @@ hk-getfacl.sh T Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T DACL(protected): Seven\Henri full allow no_inheritance Seven\None read_execute allow no_inheritance Everyone read_execute allow no_inheritance CREATOR OWNER full allow container_inherit+object_inherit+inherit_only CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only Everyone read_execute allow container_inherit+object_inherit+inherit_only SetACL finished successfully. @@ touch T/aap @@ hk-getfacl.sh T/aap Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T/aap DACL(protected): Seven\Henri write+read+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance Seven\None read allow no_inheritance Everyone read allow no_inheritance SetACL finished successfully. @@ setfacl -s u::r--,g::r--,o:r-- T/aap @@ hk-getfacl.sh T/aap Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T/aap DACL(protected): Seven\Henri read+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance Seven\None read allow no_inheritance Everyone read allow no_inheritance Note: Seven\Henri: lost write, but failed to get FILE_WRITE_ATTRIBUTES in stead (chmod does!) SetACL finished successfully. @@ setfacl -s u::rw-,g::r--,o:r-- T/aap setfacl: Permission denied @@ chmod 644 T/aap chmod: changing permissions of â€˜T/aapâ€™: Permission denied @@ touch T/aap touch: cannot touch â€˜T/aapâ€™: Permission denied @@ hk-getfacl.sh T Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T DACL(protected): Seven\Henri full allow no_inheritance Seven\None read_execute allow no_inheritance Everyone read_execute allow no_inheritance CREATOR OWNER full allow container_inherit+object_inherit+inherit_only CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only Everyone read_execute allow container_inherit+object_inherit+inherit_only SetACL finished successfully. @@ rm T/aap /bin/rm: remove write-protected regular empty file â€˜T/aapâ€™? y @@ ls -l T/aap ls: cannot access T/aap: No such file or directory @@ ===== ------=_20150216142137_53901 Content-Type: text/plain; name="run-chmod-rocks-file.txt" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="run-chmod-rocks-file.txt" chmod rocks! List of commands: - mkdir T - touch T/aap - chmod u-w T/aap - chmod u+w T/aap - touch T/aap Summary: chmod is able to remove 'write access', and reinstate it subsequently in contrast to setfacl @@ pwd /drv/e @@ mkdir T @@ touch T/aap @@ chmod u-w T/aap @@ chmod u+w T/aap @@ touch T/aap ----- same sequence of commands @@ pwd # bash NOT elevated /drv/e @@ mkdir T @@ touch T/aap @@ icacls T/aap T/aap Seven\Henri:(R,W,D,WDAC,WO) Seven\None:(R) Everyone:(R) Successfully processed 1 files; Failed processing 0 files @@ chmod u-w T/aap @@ icacls T/aap T/aap Seven\Henri:(R,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here) Seven\None:(R) Everyone:(R) Successfully processed 1 files; Failed processing 0 files @@ chmod u+w T/aap @@ icacls T/aap T/aap Seven\Henri:(R,W,D,WDAC,WO) Seven\None:(R) Everyone:(R) Successfully processed 1 files; Failed processing 0 files @@ touch aap @@ ----- same sequence of commands, but now using Helge Klein's SetACL to diagnose - https://helgeklein.com/setacl @@ pwd /drv/e @@ mkdir T @@ touch T/aap @@ hk-getfacl.sh T/aap Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T/aap DACL(protected): Seven\Henri write+read+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance Seven\None read allow no_inheritance Everyone read allow no_inheritance SetACL finished successfully. @@ chmod u-w T/aap @@ hk-getfacl.sh T/aap Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T/aap DACL(protected): Seven\Henri read+FILE_WRITE_ATTRIBUTES+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance Seven\None read allow no_inheritance Everyone read allow no_inheritance Note: Seven\Henri: lost write, but got FILE_WRITE_ATTRIBUTES in stead ... (setfacl fails here) SetACL finished successfully. @@ chmod u+w T/aap @@ hk-getfacl.sh T/aap Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T/aap DACL(protected): Seven\Henri write+read+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance Seven\None read allow no_inheritance Everyone read allow no_inheritance SetACL finished successfully. @@ touch T/aap @@ ===== ------=_20150216142137_53901 Content-Type: text/plain; name="run-setfacl-sucks-directory.txt" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="run-setfacl-sucks-directory.txt" setfacl sucks ... List of commands: - mkdir T - setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T ## inadvertently removes "write attributes" from the file owner - setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T # denied - chmod 755 T # denied ... Euh? What? - rmdir T - ls -ld T Summary: setfacl fails to reinstate 'write access' to directory (in contrast to chmod) Diagnostics: -- request for comments (RFC) - setfacl should NOT remove "write attributes" from the FILE OWNER (chmod does not) - chmod u-w ONLY - removes create files/ create folders - removes write data/ append data - removes write extended attributes - removes delete subfolders and files from the FILE OWNER - setfacl should ALSO NOT remove delete, change permissions take ownership from the CREATOR OWNER (chmod does not) Also applies to setfacl -b (and setfacl -k for the file owner) @@ pwd # bash NOT elevated /drv/e @@ mkdir T @@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T @@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T setfacl: Permission denied @@ chmod 755 T chmod: changing permissions of â€˜Tâ€™: Permission denied @@ rmdir T @@ ls -ld T ls: cannot access T: No such file or directory ----- @@# pwd # bash elevated /drv/e @@# mkdir T @@# icacls T T Seven\Henri:(F) Seven\None:(RX) Everyone:(RX) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(RX) Everyone:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@# setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T @@# setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T @@# icacls T T Seven\Henri:(F) Seven\None:(RX) Everyone:(RX) CREATOR OWNER:(OI)(CI)(IO)(RX,W,DC) # <===== CREATOR GROUP:(OI)(CI)(IO)(RX) Everyone:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@# ----- same sequence of commands, using icacls to diagnose @@ pwd /drv/e @@ icacls . . Seven\Henri:(F) Seven\None:(RX) Everyone:(RX) Everyone:(OI)(CI)(IO)(RX) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@ mkdir T @@ icacls T T Seven\Henri:(F) Seven\None:(RX) Everyone:(RX) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(RX) Everyone:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T @@ icacls T T Seven\Henri:(RX,D,WDAC,WO) # <==== Note: lost W, but failed to get WA in stead (chmod does!) Seven\None:(RX) Everyone:(RX) CREATOR OWNER:(OI)(CI)(IO)(RX,W,DC) CREATOR GROUP:(OI)(CI)(IO)(RX) Everyone:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T setfacl: Permission denied @@ ----- same sequence of commands, but now using Helge Klein's SetACL to diagnose - https://helgeklein.com/setacl @@ pwd /drv/e @@ hk-getfacl.sh . Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://. DACL(protected): Seven\Henri full allow no_inheritance Seven\None read_execute allow no_inheritance Everyone read_execute allow no_inheritance Everyone read_execute allow container_inherit+object_inherit+inherit_only CREATOR OWNER full allow container_inherit+object_inherit+inherit_only CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only SetACL finished successfully. @@ mkdir T @@ hk-getfacl.sh T Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T DACL(protected): Seven\Henri full allow no_inheritance Seven\None read_execute allow no_inheritance Everyone read_execute allow no_inheritance CREATOR OWNER full allow container_inherit+object_inherit+inherit_only CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only Everyone read_execute allow container_inherit+object_inherit+inherit_only SetACL finished successfully. @@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T @@ hk-getfacl.sh T Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T DACL(protected): Seven\Henri read_execute+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance Seven\None read_execute allow no_inheritance Everyone read_execute allow no_inheritance CREATOR OWNER read_execute+write+FILE_DELETE_CHILD allow container_inherit+object_inherit+inherit_only CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only Everyone read_execute allow container_inherit+object_inherit+inherit_only Note: Seven\Henri: lost write, but failed to get FILE_WRITE_ATTRIBUTES in stead (chmod does!) SetACL finished successfully. @@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T setfacl: Permission denied @@ ===== ------=_20150216142137_53901 Content-Type: text/plain; name="run-chmod-rocks-directory.txt" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="run-chmod-rocks-directory.txt" chmod rocks! List of commands: - mkdir T - chmod u-w T - chmod u+w T - touch T/aap Summary: chmod is able to remove 'write access', and reinstate it subsequently in contrast to setfacl @@ pwd /drv/e @@ mkdir T @@ chmod u-w T @@ chmod u+w T @@ touch T/aap ----- same sequence of commands @@ pwd /drv/e @@ mkdir T @@ chmod u-w T @@ icacls T T Seven\Henri:(RX,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here) Seven\None:(RX) Everyone:(RX) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(RX) Everyone:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@ chmod u+w T @@ icacls T T Seven\Henri:(F) Seven\None:(RX) Everyone:(RX) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(RX) Everyone:(OI)(CI)(IO)(RX) Successfully processed 1 files; Failed processing 0 files @@ ----- same sequence of commands, but now using Helge Klein's SetACL to diagnose - https://helgeklein.com/setacl @@ pwd /drv/e @@ mkdir T @@ chmod u-w T @@ hk-getfacl.sh T Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T DACL(protected): Seven\Henri read_execute+FILE_WRITE_ATTRIBUTES+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance Seven\None read_execute allow no_inheritance Everyone read_execute allow no_inheritance CREATOR OWNER full allow container_inherit+object_inherit+inherit_only CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only Everyone read_execute allow container_inherit+object_inherit+inherit_only Note: Seven\Henri: lost write, but got FILE_WRITE_ATTRIBUTES in stead ... (setfacl fails here) SetACL finished successfully. @@ chmod u+w T @@ hk-getfacl.sh T Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin rights. E://T DACL(protected): Seven\Henri full allow no_inheritance Seven\None read_execute allow no_inheritance Everyone read_execute allow no_inheritance CREATOR OWNER full allow container_inherit+object_inherit+inherit_only CREATOR GROUP read_execute allow container_inherit+object_inherit+inherit_only Everyone read_execute allow container_inherit+object_inherit+inherit_only SetACL finished successfully. @@ ===== ------=_20150216142137_53901 Content-Type: text/plain; charset=us-ascii -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ------=_20150216142137_53901--