X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=mY/JTMCCLWPDxFdfMWdwBWhEZot6VJYK3rGU9rfb1gEFaUqU6DyIX
	9hZqLXJsA6ewh3hKRX6fxzMZGPfxNqyDbqQU2aq1Dfa6Mf+ZkIsHdXrIWG4kCZVx
	fg6xPNvDDNoWsVLEvoB6oZAScNHELye4+uNdHfQkksk3eIP/afDOlY=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=JBKPPddjVYY2p3Y/M8UIF9IWaqU=; b=lrXuK9Yz2Wj8aV649VTpcuOXNwWf
	RCvKJg4v0eKD4sWEeDUqTm5ecyX1cpsmDuAb5gAcXgGQ3LHjljaibwq83HFs9XnW
	K1zb4gZ00yvVlmfgCj948voY42S8rLEE88Ii4gwxDCUZ3fCTdMQv3eCYQpCz38xs
	+lGWYLQbqFL3oC0=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-5.4 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY autolearn=no version=3.3.2
X-HELO: calimero.vinschen.de
Date: Thu, 9 Apr 2015 09:43:28 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: setfacl can kill a drive
Message-ID: <20150409074328.GO2819@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <CAAXzdLUZvdNw_UyOXMa5ozoGuG7zjPnz=rRLELFBoEF8+miZUA AT mail DOT gmail DOT com> <CAAXzdLUgnjfeA=LkrdUp68zHterj5hj5BtLqh0W=TCAn1zPrpQ AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;	protocol="application/pgp-signature"; boundary="P7Tqkd/m/Jnohiaz"
Content-Disposition: inline
In-Reply-To: <CAAXzdLUgnjfeA=LkrdUp68zHterj5hj5BtLqh0W=TCAn1zPrpQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)

--P7Tqkd/m/Jnohiaz
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Apr  8 16:40, Steven Penny wrote:
> On Wed, Apr 8, 2015 at 5:17 AM, Steven Penny wrote:
> > I upgraded to the new Cygwin today, why is this command producing diffe=
rent
> > permissions? Moreover how do I get it to produce sane results?
>=20
> I was able to use these command to produce sane results
>=20
>     $ cd /cygdrive/c
>=20
>     $ touch bad.txt
>=20
>     $ setfacl -k .
>=20
>     $ touch good.txt
>=20
>     $ ls -l *.txt
>     -rw-rwxr--+ 1 John None 0 Apr  8 02:16 bad.txt
>     -rw-r--r--  1 John None 0 Apr  8 02:16 good.txt
>=20
> I feel that the default permissions are wrong here. On linux when you
> create a new file with touch, it does not have executable permissions,

It's a result of ACL inheritance and before the changes to Cygwin's
ACL handling, you wouldn't even have seen it.

> for good reason.  This would be a security issue.

No, it's how ACL inheritence works on Windows, combined with the way the
group permissions reflect the ACL mask value per POSIX 1003.1e draft 17.
See, e.g, http://linux.die.net/man/5/acl, "Correspondence Between Acl
Entries And File Permission Bits".  Note that the group permission bits
are reflecting all additional permissions added to the file by Windows
ACL inheritance.  So it's actually a great help identifying security
issues.

The real issue here is, of course, the fact that the mask value is not
umask'ed at file creation time.  This is WIP I'm actually working on
right now.


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--P7Tqkd/m/Jnohiaz
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVJi2gAAoJEPU2Bp2uRE+g0L4P/i1/M8RFqqIqAaXYs+EL1QmX
HqBNBGSHdRyWlcPzDybmQYIlCt0DeFEpal+0iQ11XE6Tv1Sb4eAUaNe0X69ELltD
0vkGadsQSVlgmLNUzzuDkX0Le5Z9YHAI3NobMKvp0dbk74o/wawqFwoQE82bKJ9O
McCt3JGrAN44Lq76rQqV97eqUGs7xLsFTxvOm8O/mYLIH8ssbCam+LyGZfTl9Vfx
Ai+WJU8WFq7iq7plvWfqcCaKbwgv8r//I+Tp4m5fOGWlgmpnrAuRzI/CRkUWqPNS
4NqIOq+avrZZGo96o/GLD8zdqlZoqj3ZqTSO+89si5CecaCOK0Qn8sDuZfRY1Hk7
yxt0n7JUZ6CbkRqbx7IfwVQOn1douMSzgAdFHTOdGjvMr9WWE5VAtHUDgjHB71oc
93ldr/XsKgJIUdX+lBaNazbnUYLUK4FD935zBDkM27KXKNp7pj62yUcgkczvC31r
dV8SRinSIkNKtkgQUIXSr/keHFYnM614C7A76JlXZKiPcsdQfVMdyWMwZibCX7ME
xhjR4HW6j7mEJ60PWP+CEVrw8HGd1NweTSQujU34TYRU4FtdM/h0NSMu8Jw+2V87
hNz7sGwC4MH3kDUz1BqMprisVeGI8OZSnT8BtGrR6r7juOpRV8FhCkIWI4rqsLDP
wrLQYxDCxk26aql5dRh3
=dg3b
-----END PGP SIGNATURE-----

--P7Tqkd/m/Jnohiaz--