X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=QwVYTxC2fatmCyOkAXmiPT7m5cVYMv6R94mh3E4pgsiuNFOqEUojz YPl0j8rhPs+mjwP6SqD6NXacV2XC/f0TiYLxiRHm653vdqXe8EX9hMVGocTfPfil PzZ6B0cbbar6rUaZBG0z1s9Fdu+N/JWM2ClRcR7k+Nv+JLU4IiNicg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=5vmNZ14ZG16Tt+KDzTL3ozWNMeI=; b=VhUe8pjGIvCxZ7jrrussxlW6PCsA vuczdZ40LDQsdm6KdPVNuhArjMFTfya2v2MPcCFze2vtvd+Awhd9miLTCXOGs8Jx RQjdCse61sh4CS43n7zg2/3A1i/ZwCBU8X4sxQzC/vuUqRUIJiPPLsYhKhBjL9w5 Kt3BbuJAue01T64= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-106.2 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=membership, inspected X-HELO: mout.kundenserver.de Date: Thu, 12 Apr 2018 09:38:05 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: [Bug] File permissions across domains Message-ID: <20180412073805.GS29703@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <874lkjt3dw DOT fsf AT Rainer DOT invalid> <20180411070312 DOT GK29703 AT calimero DOT vinschen DOT de> <20180411093443 DOT GM29703 AT calimero DOT vinschen DOT de> <87r2nlwtln DOT fsf AT Rainer DOT invalid> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="45wMVEkw4XUbiYON" Content-Disposition: inline In-Reply-To: <87r2nlwtln.fsf@Rainer.invalid> User-Agent: Mutt/1.9.2 (2017-12-15) X-UI-Out-Filterresults: notjunk:1;V01:K0:geX/xHpqvJc=:GVVB2tfHmd2rj6egXe+mrt JP58xXhab4Jv/kVOSUoEpKtgLtmVFPyDr1ZvEw7XylA/EFadgjZClGKBKxczps06VR0UEadao ru8FWIfBVWEhlLem2lV8CnV/yi0JbpRqgvH1ye9sO9C2Z0/YwExnnhTL5YJOKlkXJVDmGvQ7S ZRzj7fOwz1V5o1O0QP0cihAhCX07Eh7SLwOlONbJpqooLnISSlFXSXQH4N4sFRy8aENHp7KxA MDU6JnvHCa7u39YFPHdg48h50Osjr8hJew+rh0PbLVIfUN5B/m3PEyqDHPvJVXasi2hC9q38j 5vnmyEfrOw0XUMnpKDJpBFSOHof6JjpipdXMDOMvh4Bp/ipA7sl7Tw5tWbP1+tvG2IPxT7zmk 3Lt+PQrV4qhKwrz1IonSGNQwwEO3zkZFi27zwBPsLEKa23mxYbBDndTA4l+DkRzOTKmMihTCh 0QAJwFdFr8Q4hcPCsEcXY0Upov9Z/wGEW2hYC/YAArRyDlGjuX+9z/Im9CCmfQN/35XbHO/6Y IKqPr+uzV6SzIckbWzg2Usf0pZhohDHEADASGiszfYGZz6jmgNAD3EZLUx1Ib84ejqG6ueQBa 38FwIxW/wwzQpeO3uhYibbjg1VIcyibPgiWuDL5/lbsdzl8DxI1IlmqjScIcHoS1UXBkP/RxJ pPBD3Xm75cq4nBb8MuKGsYHh39wKBvJIKbr10fHT1JIBlbgPbRb2/Ti4a+Q8pMVZ/k/QWIyrf 2HREJ5usjsw4+Zvsyf307m/QoefCOetjQiAMRw== --45wMVEkw4XUbiYON Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Apr 11 19:17, Achim Gratz wrote: > Corinna Vinschen writes: > > This is a bit low on detail. What does icacls say about this file? How > > does getfacl report the ACL on a machine in the old domain? What does > > ls -l report on the file on both machines? Does an strace on getfacl > > report an error in ACL checking? >=20 > There is absolutely no error when stracing getfacl on either machine. > From the machine in the new domain (my account is in group cygwinupload > and access on this share is via ACL only, I can't change ACL): >=20 > --8<---------------cut here---------------start------------->8--- > /mnt/upload > ll bla > ----rwx---+ 1 OLD+gratz OLD+Domain Users 0 Apr 10 15:21 bla > (1011)/mnt/upload > getfacl bla > # file: bla > # owner: OLD+gratz > # group: OLD+Domain Users > user::--- > group::--- > group:OLD+FileOperators:rwx > group:OLD+cygwinupload:rwx > mask:rwx > other:--- >=20 > (1012)/mnt/upload > `cygpath -S`/icacls bla > bla OLD\FileOperators:(I)(F) > OLD\cygwinupload:(I)(M) >=20 > Successfully processed 1 files; Failed processing 0 files > --8<---------------cut here---------------end--------------->8--- >=20 > The same thing on a machine in the old domain: >=20 > --8<---------------cut here---------------start------------->8--- > (1007)/mnt/upload > ll bla > -rwxrwx---+ 1 gratz Domain Users 0 Apr 10 15:21 bla > (1008)/mnt/upload > getfacl bla > # file: bla > # owner: gratz > # group: Domain Users > user::rwx > group::--- > group:FileOperators:rwx > group:cygwinupload:rwx > mask:rwx > other:--- >=20 > (1009)/mnt/upload > `cygpath -S`/icacls bla > bla OLD\FileOperators:(I)(F) > OLD\cygwinupload:(I)(M) >=20 > Successfully processed 1 files; Failed processing 0 files > --8<---------------cut here---------------end--------------->8--- >=20 > Checking how Cygwin reads my own account results in exactly the same SID > on both machines as it should, but of course Cygwin translates that to > different uid / gid values due to the presence of the domain prefix when > I'm logged into the machine in the new domain: I inspected the source code which handles this kind of thing. What it does is to ask Windows for permissions of SID X on file Y, using AuthZ. See sec_acl.cc, line 1127ff. This calls a function authz_get_user_attribute which in turn calls a method authz_ctx::get_user_attribute, sec_helper.cc, line 811ff. This method checks if the owner of the file is the current user. Given this test is done using SIDs, not Cygwin uids, this should be you, *iff* you're logged in as the same user on both machines at the time you created the above output. This in turn should create the Authz context for the current user from the current process token and the subsequent AuthzAccessCheck should give the same result on both machines. Bottom line is, I have no idea why this doesn't work in your case. I can neither test nor debug this. One reason could be that you're member of OLD+cygwinupload only on the old machine, while this group is not in your current process token when logged in on your NEW machine. You should check your token. In terms of group membership an `id' call should suffice. But there may be other differences in the token. If that's not the problem, you will have to debug this, because only you have access to this environment. > I have not yet tried to force the account back to a prefix-less > interpretation via /etc/passwd (I had to do that in my home network > without a DC to solve a similar problem, but I'd like to avoid that > here). It wouldn't change anything since the access check is performed on SIDs, not uids. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --45wMVEkw4XUbiYON Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlrPDN0ACgkQ9TYGna5E T6DpLA/+PcxSp4Omj6Xaxlf+cC8mi8ddoAjAHy3QDek4w0jOCOSFJKrNcRVe6SQp vhrBVMN3vCfMHaVz/vLtEF3Hgts8l6TJ+fKOSLwgYC1Jsn+qPmmlwvebjfVVW34Y CXBy6bG5kT95b88PI4nY8zUn7X6M2bVKDP+VMtXT6do87z28PTXsh3kG/a7UwJLc XcuM0XIJHkDE/pcd5wRPqiT43qmVtB6fi7SYUhUdZ0bIz5lMaDkKqp5l/iz94B7W 9szAeNdawXIAFF97UrTWg2l4YLfs3k28PYPDkEMyE0I9SB7RGb6ux/XGTcLEzbse nA+rPTmAGB7kaXgG9J6Gg1rBXxftil9nz78479JCdXg5v70egUMP2dEm12xZV3/B OSPS9stYx/6Ab1BgqQSeJEJN+HvD+lniE/hZRrpVxzHuREtxDZQqJpCCidI8jLqq sK0XFzPadmcnpvJYqyxjlE1iXyVCMcq0NZcyA4VbSs40A3hdogx4wxvMvtAhhF14 pQ0ykEek1j4BdMwUj3u8Updjyel9fCnZtsRSIq5QrjttnXN93amXq4Or+oPVrZ6F cHjOGjDk8115uAskhQq96dHvkvH7m8Lclm3cODCRjPahBy+LYH9SmeHvCdQXbsjD cWDaCN6gsTPgp14qEt7KHusmMVXOq079BlkuRbXsRsdlXEXt+Nk= =Tt7g -----END PGP SIGNATURE----- --45wMVEkw4XUbiYON--