DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:message-id:in-reply-to:subject
	:mime-version:content-type:content-transfer-encoding; q=dns; s=
	default; b=Su/3NyyMF5+LKHeff1bKWKqCUmAZxzbER/vjrT0CetbNoyQMMisiR
	iz1vO9JRpvfAHoaO+kLYbONpaxxZLWAyvfwbrt+rg+ki5XGVf2rMJieMq4uytub8
	Lez2WIpNliuVhb+cUTHc598k3jk1zA/QgM9v9LYGiVUtOS39anngAw=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Date: Fri, 4 Mar 2016 16:43:07 +0100 (CET)
From: akikij AT free DOT fr
To: cygwin AT cygwin DOT com
Message-ID: <550385091.121913198.1457106187258.JavaMail.root@zimbra93-e16.priv.proxad.net>
In-Reply-To: <2119166713.121814507.1457103633265.JavaMail.root@zimbra93-e16.priv.proxad.net>
Subject: Issues with ACL settings after updating to the latest cygwin.dll - correction
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Hi,
I have the different problems you have about this new security right NULL SID DENY added to some files.
Sometimes also Windows can't access files concerned.
He considered security rigths unordered and I have to class them before continue.
It's too difficult for me to help you to correct the problem.
I give only tracks to correct the effects to return to a clean situation.

I have a solution to list all files concerned in a directory tree:
#!/bin/bash
#	List on stdout objects with DENY
if [ $# -eq 0 ] ; then echo "Usage $0 path" ; exit 1 ; fi
cd "$1" || { echo "Bad path" ; exit 1; }
find . |grep -v -E '^\.$|RECYCLE.BIN|RECYCLER|System Volume Information'|while read i 
do	#echo "$i"
	1>&2 echo -en "$i\\r" #to see progression
	j=$(cygpath "$i")
	c=$(2>/dev/null cacls "$j" /L)
	if [ $? -ne 0 ] ; then
		s=$(file "$i"|grep 'symbolic link to')
		if [ -z "$s" ] ; then echo "not found $j" ; fi
		continue
	fi
	s=$(echo "$c"|grep -i 'NULL SID:(DENY)')
	if [ ! -z "$s" ] ; then
		echo "$c" 
	fi 
done |tee /tmp/1

I use here /tmp/1 as buffer. I can edit it before to submit to the next solution.
It's more safe for the moment.

I have another solution to patch security items contained in this buffer (here /tmp/1)
#!/bin/bash
#	Patch objects recognized having NULL SID right
#	one to one - with icacls - exit at the 1st error
ws=/tmp/NULSID	#root name for 2 temporary files, .org .new as suffixe
cat /tmp/1|grep '^.:'|while read -r i ; do
	j=$(echo "$i"|sed 's/ NULL SID.*//')
	echo "	chg $j"
	corg="$ws.org"
	cnew="$ws.new"
	icacls "$j" /save $(cygpath -w "$corg") || exit 1
	#edit with null char temporary remplaced
	cat "$corg"|tr '\0' '£'|sed -e '1 s/.*/.£/' -e 's/(£D[^)]*)£//g'|tr '£' '\0' > "$cnew"
	icacls "$j" /restore $(cygpath -w "$cnew") || exit 1
done

This solution not complete is usable for me now. I find many pbs in cygwin system
 (more than 3000 in /bin /lib ...)
I am not confident to leave this problem with ACLs. Some files are concerned, the others not.
I want a more deterministic function for the cygwin system.
May be an upgrade of all project datas is necessary before the use of these new acl functionnalities.

Sorry for my english

Regards


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple