DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=gJaBQJHyDpnVsjLHnelAXmrgVeRIgDjtvtUCzLSQxkoCif3IDJN/D
	60lBJRJAFaRUMgF/mTgGIc6mHXGeiwQ1lzgXObwomObp0hApdzJr+7+SpO8qJ0Uv
	DpU2ic0blRqDYZn+g4eMFWRllPn6WDjb7YQST/l5FtiVMMPJG2+jKQ=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Date: Tue, 23 Jun 2015 15:49:47 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: cacls combination problem in 1.7.35, merging privs of existing file & privs of process
Message-ID: <20150623134947.GR28301@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <019E497FEC593443965FC4E5BB0F628C5AA08C74 AT SV950-MBX1 DOT corp DOT intusurg DOT com> <CAOBROv3gK-1GgBd6DaYK92Vt2L5ZPhymMxDGy-8rB0hGd6=VSg AT mail DOT gmail DOT com> <20150623100949 DOT GB9548 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="vk/v8fjDPiDepTtA"
Content-Disposition: inline
In-Reply-To: <20150623100949.GB9548@calimero.vinschen.de>
User-Agent: Mutt/1.5.23 (2014-03-12)

--vk/v8fjDPiDepTtA
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Jun 23 12:09, Corinna Vinschen wrote:
> Hi John,
> [...]
> And of course your user account is different from your primary group.
> They can only ever be identical on non-domain mamber machines when using
> the "Microsoft Accounts", where you login with your email address.
>=20
> >     C:\Users\johnru>wmic group where name=3D'Domain Users' get sid
> >     SID
> >     S-1-5-21-25853599-488532567-929701000-513
> >=20
> > >
> > > Original cacls of file try2.txt:
> > >     try2.txt INTSURG\johnru:(R,W,D,WDAC,WO)
> > >              INTSURG\Domain Users:(R)
> > >              Everyone:(R)
> > >              NT AUTHORITY\SYSTEM:(F)
> > >              BUILTIN\Administrators:(F)
> > > Cacls after vi open & write back out (":wq")
> > >     try2.txt INTSURG\johnru:(DENY)(S,X)
> > >              INTSURG\johnru:(R,W,D,WDAC,WO)
> > >              INTSURG\Domain Users:(RX,W)
> > >              Everyone:(R)
> > >              NT AUTHORITY\SYSTEM:(RX,W)
> > >              BUILTIN\Administrators:(RX,W)
>=20
> After I set up a directory with your permissions, I can reproduce this.
> I have an idea what the problem is, but I have to debug this further.
> Stay tuned.

No, it's not what I thought.  This is a problem with the default
settings of vi.  It's not a problem when using vim with default
settings.  Try the same with vim instead of vi.  /usr/bin/vi is a
"small" version of vim, while /usr/bin/vim is a "huge" version.  They
are build with different build time options, just as on Fedora Linux, so
they behave slightly different.

However, there appears to be a bug in vim.

At "wq!", huge vim saves the file like this:

- open edited file
- write file content
- set UNIX perms via chmod(2).  This results in the "broken" permissions
  with the additional user deny ACE and rwx perms for the group.  This is
  expected, nothing to worry about.  Yet.
- set the ACL via acl(2).  This reverts the permissions to the original
  permissions.  All is well.

Small vi saves like this:

- open backup file (same as edited file, plus trailing '~')
- copy edited file content to backup file
- set UNIX perms on backup file via chmod(2)
- set ACL via acl(2) on backup file.  Now the backup file has the
  original perms of the edited file.
- open edited file
- write file content
- set UNIX perms via chmod(2).  Now perms are "broken" as above.
- And now, because a certain flag in vi is set ("backupcopy" is set
  to "yes"), vi *skips* writing the ACL to the original file, see
  fileio.c, line 4702ff:

    #ifdef HAVE_ACL
	/* Probably need to set the ACL before changing the user (can't set the
	 * ACL on a file the user doesn't own). */
	if (!backup_copy)
	    mch_set_acl(wfname, acl);
    #endif

So it turns out that this flag, "backupcopy", when set to "yes" as is
the default when running vi, breaks ACLs in certain cases.  In vim the
flag is set to "auto", which apparently translates to "no", usually.

I think this is a bug in vim.  The `if (!backup_copy)' is wrong.  It
should always try to write the ACL on systems supporting them.

But for the time being, there are at least three easy workarounds:

- Create a ~/.virc file with this line:

   set backupcopy=3Dno

- Always run "vim", rather than "vi".

- Add an alias so that when you run vi, you actually start vim:

   alias vi=3Dvim


HTH,
Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--vk/v8fjDPiDepTtA
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJViWP7AAoJEPU2Bp2uRE+g1YAP/3ZI0SYh6oSATstVzLLXHeXy
FAMRiA70sbj640byBAjcssA1domq6LdifmD99Nr33evQutip1Xy4mRNUM5e286xB
wiJLYkQyWWMq497CaA2KU9FDj016CGdpOJI2yCgZw3WKKc2om4WQfLHgy17qbRVu
UM3kIXMR8OWNM9CzHzyVFnccWOjGJuQIMAx7gX2G7oVBfwY7ZFgNCk/LuIdwOTs8
EdCT8wAo5hbavrmbI8OTVn7LaY4Gc273EkBo7mwKWVTbVSRGD9rYzonjP6GeOEZM
z5uyKxTwrotLGeNxLQc36cEKjEKbVT4m6medhaIOmxjKqckaLS8eS5gbrk0dTKpu
aiRsftlCtbWZR03p7w4UO+X0FCuIpgCUXxOtuKQo1DgnQCb2IInI1MAsld0H6rBz
TAzbCX22mj8AQS889s6pOTZgMQeC2NpnE8MohpGMMETzwzK3KDqZ3osrS9s+7QKe
OCOcFO5Qee6ySK6CSYg8fDcNOj0D6z8QWRlTsJBr0oJqST2VbmF7I2Cd/UnrSxdS
DDbkK1Q5djzyFRt0Yau9Zqa8DWtXtKf8Qq0nSE8oCo+CZDz04e0gyzWEkPao1cje
C4AhmoKuL+nEGKtdCNuYey5aralCEWWk83m5+SH2BGC4Ozu+MKtquvLQ3xkzcQEJ
/nsKfpv7etV37fe2THRZ
=2uN6
-----END PGP SIGNATURE-----

--vk/v8fjDPiDepTtA--