X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=ZWke9gx9zd/4xjR6QBY/GC1TUAaWLnsHAbfPYL16NtUuHc5vtoNpu
	U5ImRCan2ygdpU674lNtC/vf/yt1nqkqQaLaXbI4Auh533b1PyP1KlFbdl+FFpIM
	A5NbPQBmDRw0kHaZu5+ahZuvappDjs3zTkUajGy4i456wN0bXh9V4I=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=RCQKGrq8cgV/ItcELuIegj4kVls=; b=a+9kLC5kJTgBftBOoIJHPa5kTg8Y
	n9K6sKzGPWc56Ne5ii0P61icj1PBUjclnaAMJty2Ek2uV7SDnmYZykm068PwObx7
	u6097RP2JjWfL5DujJN2lziQ3+3nBCuwt2v02s1726TapMxwzg7jD7085Sej08ru
	laPfRFruo0WBHjg=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-5.4 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY autolearn=no version=3.3.2
X-HELO: calimero.vinschen.de
Date: Mon, 17 Aug 2015 10:20:13 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Shares with strange ACL settings
Message-ID: <20150817082013.GH25127@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20150812155817 DOT GN13029 AT calimero DOT vinschen DOT de> <878u9g9y6b DOT fsf AT Rainer DOT invalid> <20150812183220 DOT GO13029 AT calimero DOT vinschen DOT de> <87vbck8h92 DOT fsf AT Rainer DOT invalid> <20150813163302 DOT GB28349 AT calimero DOT vinschen DOT de> <20150813175302 DOT GD28349 AT calimero DOT vinschen DOT de> <20150814082959 DOT GE28349 AT calimero DOT vinschen DOT de> <loom DOT 20150814T125223-728 AT post DOT gmane DOT org> <20150814134552 DOT GG28349 AT calimero DOT vinschen DOT de> <87fv3l683c DOT fsf AT Rainer DOT invalid>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="gm5TwAJMO0F2iVRz"
Content-Disposition: inline
In-Reply-To: <87fv3l683c.fsf@Rainer.invalid>
User-Agent: Mutt/1.5.23 (2014-03-12)

--gm5TwAJMO0F2iVRz
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Aug 14 20:25, Achim Gratz wrote:
> Corinna Vinschen writes:
> > Cool, thanks for your quick feedback.
>=20
> Thanks for the snapshot!
>=20
> > We should just be aware that this is ultimately a kludge.  I think I now
> > finally understand what would have to be done to get a generic solution
> > which results in correct POSIX permission evaluation for any current
> > user and any file ACL.  However, from some preliminary testing it seems
> > the generic solution has at least two downsides:
> >
> > - It's slow (AuthZ code, setting up and breaking down user/group contex=
ts
> >   for each checked file...)
> >
> > - It would always contact the AD when trying to fetch info for AD users,
> >   which is bad for remote machines not or slowly connected to the AD se=
rver.
>=20
> I think we've came to the same conclusion (modulo the question of
> whether AuthZ would be usable for this) some time ago.  My personal take
> on this is that the "kludge" is likely better than both what we had
> before and the result of the pre-snapshot ACL evaluation.

FYI, I revamped my AuthZ tests over the weekend and it's not *that*
slow, especially if the application caches and reuses AuthZ user
contexts fetched previosly.

I have POC code in my local sandbox, and I'm planning to apply this to
Cygwin after the 2.2.1 release.  I have some hopes that the AuthZ code
was the puzzle piece missing in the unified POSIX ACL handling code we
tested and then had to drop again earlier this year.

Stay tuned for another round of this unified POSIX ACL handling tests
later this year.


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--gm5TwAJMO0F2iVRz
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV0Zk9AAoJEPU2Bp2uRE+gFSAP/2SpeippKWeD83y657sxxcXy
cesgmVECH6R2ESoHUZmD3iXz9g6hKCBCWpGcuO5yCFm5uVWb5vwcJehG19JD8vyV
qqpRlrakClCxUKNM3z+i8ICiLNsdtwpS7q7ksBKa/H2DRPfnRdIvSGz8EDiWEkAs
FRh06X2tvU5zndt7KxaJmqLcdNpesWH/zPvpY3GIULPLSpPkQYhZpTxxzFP6xk29
p6Cb9yXw1DTdWmRCNawPk7lBgEK+XoCLVkfalQaosWxCmkEweysfRkx10S675pV3
4t3W0EFDjI2PwRsXgXr1TGzrVEC9tpiDSTgY+PVLleXONci9lUFiyDe5vppogdcz
7EBFvJln+E0xkwyEJebZGgXBnLWadFj0sO+AS4CZaiPyE3YxGPINwagaY1iUjO/o
nZFuZBodC/OPH4MUa7QSEqH6uFHSs0ciYC0icxqqQjLJOs5r+cc4ZSC48b+LgNPo
HEPaOgo0Gh6qv5CT1IjEf0R8Ee+74mdiOHytjeJKkPvwHpoieGFT+tulju6fr+gz
Dc1e4wM2lMZ8ErpXtbuKbT5wyj5bFWouUTDjIuas7mcFdNBcKPQbKsN1Z1kez/zW
DrGjqH/kgtaEHlGyi024gQPJ5O8OEAv25TJhw9Ieomdwv0zD5n1sDaUJPt4AIpoT
KmaCiRx8va7mSdc6Sty9
=KezS
-----END PGP SIGNATURE-----

--gm5TwAJMO0F2iVRz--