DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:content-type:content-transfer-encoding; q=dns; s=default; b=IiC
	6ie+bAAgHWfIYWVICg5mapyIJjbHHbDWVyyBjZ9faWFCDIOweaeA1lYhqHjWGHrz
	8HIsFqlFZvhGFKb6/SGYikTs7Jdv1Ze3Ao7yOibd1ZpUYaTYHjvIkPCX6XeTfqMj
	1s43AWi5LyKTLBA8X9imwWk7mwcQE96HmbJ9dVdo=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Message-ID: <54F37C9F.1020900@gmail.com>
Date: Sun, 01 Mar 2015 12:54:55 -0800
From: random user <cnpxzsdwle4m0dkt AT gmail DOT com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Too Many Permissions Stripped In 1.7.35?
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Note-from-DJ: This may be spam

Thanks for the reply.  Seems we've maybe miscommunicated a bit tho.
So not meaning to argue, just to try to clarify, let me try again:

None of my concern, none of my examples, were intended to involve any
ACLs other than those created by Cygwin touch, chgrp, chmod, and
setfacl.  (setfacl only used as explicitly shown in one
previously-sent example, not used at all in the below.)  I'm working
in a Cygwin-mkdir'd directory that I believe has no added nor
inherited grants.

The logged in user is XXX, primary group YYY, distinct SIDs.

icacls .
  . zzz\XXX:(F)
    zzz\YYY:(Rc,S,RA)
    Everyone:(Rc,S,RA)
    CREATOR OWNER:(OI)(CI)(IO)(F)
    CREATOR GROUP:(OI)(CI)(IO)(Rc,S,RA)
    Everyone:(OI)(CI)(IO)(Rc,S,RA)

rm x
touch x
chmod 500 x
ls -al x
  -r-x------ 1 XXX YYY 0 Mar  1 11:36 x
chmod o+rwx x
icacls x
  x zzz\XXX:(DENY)(S,WD,AD,WEA)
    zzz\XXX:(RX,D,WDAC,WO,WA)
    zzz\YYY:(DENY)(W,RD,REA,X)
    zzz\YYY:(Rc,S,RA)
    Everyone:(RX,W)
ls -al x
  -r-x---rwx 1 XXX YYY 0 Mar  1 11:36 x

rm x
touch x
chgrp XXX x   # group with same SID as user XXX
chmod 500 x
ls -al x
  -r-x------ 1 XXX XXX 0 Mar  1 11:37 x
chmod o+rwx x
icacls x
  x zzz\XXX:(DENY)(S,WD,AD,WEA)
    zzz\XXX:(RX,D,WDAC,WO,WA)
    Everyone:(RX,W)
ls -al x
  -r-xr-xrwx 1 XXX XXX 0 Mar  1 11:37 x

I think I understand why the DENYs are present to achieve Posix
behavior, and don't have any issues/concerns with that at all.  The
ACLs above match my expectations, I've no concern on the ACLs.

I'm only wondering if showing the group mode as r-x in the last case
above is best, vs continuing to show the group as ---, the same as it
appeared before the chmod o+rwx.  Either seems reasonably accurate
from p.o.v. of actual security since there can't be group members
other than the user itself so the group can't be carrying any actual
new permission for anyone.  But chmod o+<whatever> having a visible
impact on the group bits seems surprising.

Since the ACLs are fine, and the x00 mode cases are now showing group
as --- which is what seems most helpful, this is probably not overly
important for now.  I'm just thinking it not likely best, an
unnecessary nuance/surprise.  chmod o+<whatever> having similar impact
on an actual Posix-y group mask in future would seem to me likely
actually incorrect tho.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple