X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=romwd8+V6j10auPGbFVkoGwBZB/sHX4aPXoa7x/m7Np09vMBhSyVv c4XKYkAs9D1iEBjVTHKYLW/sd/3C6Ulm2Tb2YMZKWjBGTN46ywSRijQpO4SfOiTb +wGpGlRcMKzZY/G34CZsaYIxH/sddrXkj/m/za0ffg63IBRYM3GmZs= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=q37bs6gpU1ZfQuvwpcF4d/riW+A=; b=QMAZZ4/U3kw2NtT9Dly4EdYGBIXu vQserCPJt1vXneC97yyGVp0v+C3Mf9i/ZvdmW1WXgu//IbVtZZks0tIOjxKeSO8b MBwWjBoFxBjklM65veXT12gpqUa8sj6dGsaXyd6u5tWugcH9p26CJg2Ts9o41yxN XwsKxoB6/67RLRg= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Date: Thu, 26 Feb 2015 23:51:26 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: Too Many Permissions Stripped In 1.7.35? Message-ID: <20150226225126.GE11124@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <87twy8cv4k DOT fsf AT Rainer DOT invalid> <20150226202836 DOT GB10024 AT calimero DOT vinschen DOT de> <20150226205736 DOT GA10870 AT calimero DOT vinschen DOT de> <20150226222931 DOT GA11124 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Dzs2zDY0zgkG72+7" Content-Disposition: inline In-Reply-To: <20150226222931.GA11124@calimero.vinschen.de> User-Agent: Mutt/1.5.23 (2014-03-12) --Dzs2zDY0zgkG72+7 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Feb 26 23:29, Corinna Vinschen wrote: > Having discussed this, I can understand that it may be desirable to > skip the permissions of the SYSTEM account in these circumstances: >=20 > - Computing the POSIX ACL mask and default mask value and thus in > the permission mask as printed by `ls -l'. Trying to be more exact: - Right now, the POSIX ACL mask value includes the permissions of the SYSTEM account, if it's in the ACL. The function collecting the ACL entries can easily skip adding the permissions of SYSTEM to the mask value. Thus, the mask value only reflects the permissions of all other users and groups, and so ls -l will not show rwx group perms only because SYSTEM has rwx perms. Example: Today: $ getfacl .ssh/authorized_keys # file: authorized_keys # owner: corinna # group: vinschen user::rw- group::--- group:SYSTEM:rwx mask:rwx <=3D !!!!! other:--- [~/.ssh](64)$ ls -l authorized_keys -rw-rwx---+ 1 corinna vinschen 1025 Jun 15 2014 authorized_keys ^^^ !!! With the proposed change: # file: authorized_keys # owner: corinna # group: vinschen user::rw- group::--- group:SYSTEM:rwx mask:--- <=3D !!!!! other:--- [~/.ssh](64)$ ls -l authorized_keys -rw-------+ 1 corinna vinschen 1025 Jun 15 2014 authorized_keys ^^^ !!! > - Changing SYSTEM permissions when calling chmod, unless SYSTEM is the > file's owning group. A chmod can easily skip the SYSTEM ACE when applying the group perms to all secondary users and groups in the ACL. So a SYSTEM rwx stays rwx. Unless, of course, SYSTEM is the owning group of the file. Example: Today: $ chmod 600 .ssh/authorized_keys $ getfacl .ssh/authorized_keys # file: authorized_keys # owner: corinna # group: vinschen user::rw- group::--- group:SYSTEM:--- <=3D !!!!! mask:--- other:--- With the proposed change: $ chmod 600 .ssh/authorized_keys $ getfacl .ssh/authorized_keys # file: authorized_keys # owner: corinna # group: vinschen user::rw- group::--- group:SYSTEM:rwx <=3D !!!!! mask:--- other:--- > Changing this in the code is pretty straightforward. but I'm not willing > to add another mount option for this behaviour. Either Cygwin ignores > SYSTEM in the aforementioned circumstances or it doesn't. >=20 > Crucial vote starting... now. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --Dzs2zDY0zgkG72+7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJU76NuAAoJEPU2Bp2uRE+gxgwP/30kRj375r6sOb3ikAuODz4B Xrj4/RVFEfTASHRjSVc6TF+o2x4XmnCeveDA7SxXhMA44GsTNHsC4PI8X/pB7v/4 aNqGSTAP44XH84Q1cHjDwmc+i8vwqe9QWCLn14VeTgm/mVIRT4ZOsF2qzftJE9a2 UIVh1lLKoQDdxcXbf3t2LkcqO2rJBgT32+SFVUJ09hI+u9ddEDmFK52Q/DG6+jJC A5MVUd5WaMjgcb5kfCldo70Hm9pAhIAeQL/Xc/BJPxXUKkcBBhT5LGEaDH11c2VQ ABfiN2IAwe2IxLuRad04KD0u298na9mD9Y1+zGdIWEkXW9av669CMoeiyB/wHD4u 6uN6tL+Jb/pHgkfy++dqAEDxalpPmxu8mPXaITxVkZd5HvDmZyu95L8TAnwRNVXC irr4swr9caoqvAX6ah3vd2TS4AAv/1GosctqH9PaEoP2nHJJmH9sGkZXHz2xKpAo 1eNYehUmXw9Wn33wde6hHh1kw5eUXhVm40Cq/hg7H7zCD2undx8MuK6dwrU24wXv +NF2VybHPQfYntyf+nJQD3UXowuhb6548pvclaHWWCu5Gohri/v1O87IKSfl1BFU /6teFa5xvneGr8HeI2r1ITvUB0sbY/z4u855zNU9qipvzbD2OG+64CdrHnYsSwhi gTAftM5wmfOI2Bd9miUL =xQGq -----END PGP SIGNATURE----- --Dzs2zDY0zgkG72+7--