X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:cc:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=hs1wv7EFRI5r4c0tr1JylDjn4L/Mxrut0zBTNQFBUuzM2t7e6uSYr vzX0OTBFjCInN1zk6Ijo1kmpREqx4T1rI+ARAIbnuQEA6ThdSlEnx7v+tGaGslBy Wscu0sHZO9xNipnNMCHb/aPLGgnHHqJbFTr9HjkJifB0HT//9iJ9ZM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:cc:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=EujlKUTgk90WGpyACXITJ2ykS+g=; b=KzOMWg1nxxzJxeE44R0RYE1ch5kz izl9MiIqZ3N9HtDcy2eQDZdy2bnxb/GEk+rh7QEngNao8V4ivlhXuw57cRZOXn2/ Dy3LgkEDGMr8YDDOWn8NUAEcYz0sTJfp48SG3BpiRL8OCQDEJ6PxZkDBKFR87Uqw nvhKB4hH2PNS0VU= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Date: Fri, 27 Feb 2015 14:57:43 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Cc: Warren Young Subject: Re: Too Many Permissions Stripped In 1.7.35? Message-ID: <20150227135743.GN11124@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com, Warren Young References: <54F00036 DOT 8050509 AT gmail DOT com> <20150227091711 DOT GJ11124 AT calimero DOT vinschen DOT de> <20150227121958 DOT GL11124 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wmhq21yAGFMoSpeN" Content-Disposition: inline In-Reply-To: <20150227121958.GL11124@calimero.vinschen.de> User-Agent: Mutt/1.5.23 (2014-03-12) Note-from-DJ: This may be spam --wmhq21yAGFMoSpeN Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Feb 27 13:19, Corinna Vinschen wrote: > On Feb 27 09:57, Achim Gratz wrote: > > Corinna Vinschen cygwin.com> writes: > > > Good point. Right now the group permissions are =3D=3D owner permiss= ions in > > > the case the owner and group are the same. Maybe it would be better = to > > > remove all group permission bits if owner SID =3D=3D group SID instea= d.=20 > >=20 > > I think that would be defendable since it is purely based on how Window= s and > > POSIX treat groups and users in different ways and not an artificial > > exception that Cygwin makes on top of that. >=20 > Come to think of it, this would also drop the requirement to enforce > primary group "Users" for the so-called "Microsoft Accounts", which have > their own SID as group SID in the user token by default. >=20 > Hmm, I'm really warming up to this change... Done. I uploaded a snapshot and I'm contemplating to create a test release for this change. Warren, you're the unlucky guy of the day. From our discussions in the last days I know you're using a Microsoft account. Can you please give the latest snapshot from https://cygwin.com/snapshots/ a try? When using it, you should now see your account also as group. Creating files should result in having user and group being the same, and if you chmod the file, the group permissions should not reflect the user permissions anymore: $ chmod 600 xxx $ ls -l xxx -rw------- 1 corinna corinna 0 Feb 27 10:40 xxx $ chmod 660 xxx $ ls -l xxx -rw------- 1 corinna corinna 0 Feb 27 10:40 xxx Trip hazard 1: $ chmod 250 xxx $ ls -l xxx -rwx------ 1 corinna corinna 0 Feb 27 10:40 xxx The new permissions for your account are the sum of permissions you gave yourself as user and group: =20=20 user 2 =3D=3D -w- group 5 =3D=3D r-x =3D=3D> combined 7 =3D=3D rwx Trip hazard 2: $ chmod 644 xxx $ ls -l xxx -rw-r--r-- 1 corinna corinna 0 Feb 27 10:40 xxx Funny, isn't it? The group permissions are different from the user permissions even though both are the same account. These are the "Everyone" permissions which penetrate into the group permissions due to the way the Windows ACL is evaluated: $ icacls xxx xxx VINSCHEN\corinna:(R,W,D,WDAC,WO) Everyone:(R) I didn't change that because it doesn't hurt. The case has altered (sorry the pun) if "other" has permissions the owner doesn't have: $ chmod 601 xxx $ ls -l xxx -rw------x 1 corinna corinna 0 Feb 27 10:40 xxx $ icacls xxx xxx VINSCHEN\corinna:(DENY)(S,X) VINSCHEN\corinna:(R,W,D,WDAC,WO) Everyone:(Rc,S,X,RA) I think that's really a good change. It should help in security conscious scenarios a lot. It *may* break other scenarios, but that should be rather unlikely or easy to fix. Thanks for the idea "random user". A name would be nice, though... Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --wmhq21yAGFMoSpeN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJU8HfXAAoJEPU2Bp2uRE+gEWgP/jaWxjgF0aGvL+syKwF1rm5R zyRHiKD5NoIzipgfSyQHeMxK48LpIGBkGEDS5k+SdqTFAk08EcTfaSuDWq8OKvdp 9enMQuV3k4mWHFUxFOHLNmciym63+H3GJ3OYVX07/vzFjUocvYyvElz8G2FO5lGJ xH0r8I9Ku/dnzXW2pMd7Kcb9kSgDY/zo3l9rFdkX+aDCZN6uOXnTaijRCu90SUzE 1WRLt1njyYuIelvctTBQ1nkkycXoLmCtI0/kiE9wgranHbVeQCCSq7/G6GIDw7J7 Kwx1pHD3AXHKK5ZFX1Y8sbIVWFmGZmFZ4phpsb0yn/IY7Mn4ijDxnkZ/AJJj1EVF Rsq57pf96yVZCUULa7gFtOW83JHXC7Edyym7M1J55Jo0jikiWt+jRRYuq5wjXaJ7 mDH41A35AQR5nK9Y5BIzPjRRTcSoDbS/9X1kMSkYGLx+3xT5tSekv9jYtEE59KGU 8EuxWApgTLz89Puz3h1iNscVwBzBmT4A0I1IFgjJ19s5cde0X+a4HMHJoG1pWQ/3 vxHXKT7b0rndecQFBlVuzGns27b/AmRHiwlaXe55dlkS10wvTf8WwH1ys7xMUFIw q2KgXA9peqwsGBCDe6tD2hqvoY6Krtvp1KiF5ICesjO9UBbqJMOPxEC3vt6WIpIB fJQkuNimrRnb7N2y6nEt =ymFv -----END PGP SIGNATURE----- --wmhq21yAGFMoSpeN--