DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=JiRwaflgkQl1J8oVlxAmqBgtrBkKLLllh+IAXoeWuk1ZZmv+0he8D
	YO5o6lrVKVrFRavUwyDIdU2QLVMp1F9ik6ElXkH51zpYrFkzozHtIhhfLrtm5fcv
	OViXSUucJinZPYCl7LS9qEwlIpKo5TX+Emu606LnHu/7cm45BPm+XY=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Date: Fri, 27 Feb 2015 10:17:11 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Too Many Permissions Stripped In 1.7.35?
Message-ID: <20150227091711.GJ11124@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <54F00036 DOT 8050509 AT gmail DOT com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;	protocol="application/pgp-signature"; boundary="NgG1H2o5aFKkgPy/"
Content-Disposition: inline
In-Reply-To: <54F00036.8050509@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)

--NgG1H2o5aFKkgPy/
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Feb 26 21:27, random user wrote:
> Regarding Corrinne's proposal to treat SYSTEM's ACE distinct from others
> in forming the apparent group permission "mask":
>=20
> Might it be sensible to do somewhat similar for the case where a file's
> owner is the same as its primary group (i.e., same SID)?  It has seemed
> the chmod behavior for this case has long been what's proposed (at least
> for the typical case of a chmod leaving the user with wider privileges
> than the group), but the group permission bits have appeared set to ls
> and other tools.  It would seem to help re ~/.ssh and other cases that
> are checked by programs wanting there to not be any group permissions.

Good point.  Right now the group permissions are =3D=3D owner permissions in
the case the owner and group are the same.  Maybe it would be better to
remove all group permission bits if owner SID =3D=3D group SID instead.=20

Either way it's a bit puzzeling for the user because a chmod on group
permissions has no effect, but the 0 group permissions would help
security-conscious applications along.  And it would be neither exactly
a lie, nor more insecure.

Hmm...

> (Less sure I think this is really a good idea, but it'd seem consistent
> with treating SYSTEM this way given the standard default ACLs on
> /c/Users/<user>):  Should Administrators be treated the same as SYSTEM?

Nooooooo!!!1!!11!

This is exactly what I was concerned about when I formulated my
yesterday's suggestion to special-case SYSTEM.  There's no end to all
the special casing if we start with it.  Administrators is a group
is a group is a group.  Just like any other group.


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--NgG1H2o5aFKkgPy/
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU8DYXAAoJEPU2Bp2uRE+g5h4P/ifRK20qY628VtC8OsRTMDYX
7VblpH/y6CRsqG9jkAOQgLN6mAiZc/ctWgdDh+f6V1M1E4zHwfzD6KWa8vmL9WMI
8JaHcZ75FwEgAY/HWVyMQHaUurMS2/MuyjdnH9bWtspnHXGBaWDTBSkeoScSSjef
vliEVcgI60Dlnk3srejGDYg4uj78jJ/dp1xDjdTpQMBYvYL5lp5cBrZ/hoG1jLvn
tpWxr4uuspj3yIkVYVjgEvBBvJrmfLky1f/b0dAWhYviutxhi7bXjs1G/98f3QtD
nL0mUJNd9OQ4uRYocgiPFCdtRTYpVObXKtOwma8pNEMh6m79mwbV1XamJRJsD10X
xCffBPBxBgFFxxCadr6N/rsscsOqg/o3WZRYkyTApMqwd8g0jwni3mIAts+ZiuFM
56gm3NRqbG5yuR6kldZlyGSAgghbvI/7MntI3YBqgbcGc8Wj8FjaoAIjojrfGu+i
pNF/4yoUhQC4RRVPe4B3dKH2eDqyu/Sz8Ge8A0U5Z29lW+HtN/ORCEKJzb9YFbnj
VHYRQ36t9sg8/uUXDsd2XpPVaJDWDjXm+M4yf/6iGMYdJpe8t6aWgAoV/6G81GoE
XG0j7/khVh2WJhpyn6CmBIHYyOgfmXcNi4xQBN4oIsGMiVKnlOxSI+vSbEuhl6TE
d4KlJjcxONF/dImbVRzo
=2YwW
-----END PGP SIGNATURE-----

--NgG1H2o5aFKkgPy/--