X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=yvG0w1+tUUBmlJxG83Jy/xeNDdNneXATR3La/4COwJKva4A7cmPiT
	MY/FkgbNp/WS0b5VxwnpZaihFWL7YKg+443cDLWdUixjE8bvyDYzrGqt5WwwralF
	A0R2lHnOUhKCL039TGY1fpFQkskZ4VDC4egqNWpmspDLyGNUJJGmwE=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=pTkjG0tzQ0Dq2rPfLJTOna43QPs=; b=o2rtvMmicgsMQ22+pqbLlqBwiqKG
	j1SGbCTpqKCWGMr5FOljfvBKxu6C/NsWjF9i6Uw5DDY1eY0If/xd6orCwJGwiIYh
	/3N7KVf/E2pAwWNgUpnskdI6u1Dxy6syP9P+On3xn3r8drMPA2oVbl8IxKvVkBdp
	K+8ZmzQyz6rJpss=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-105.0 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=here's, heres, H*F:D*cygwin.com, yours
X-HELO: mout.kundenserver.de
Date: Wed, 13 Mar 2019 12:34:45 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: win dirs don't handle lack of inherited rule(?): getfacl + tar dir Warning: Cannot acl_to_text: Invalid argument
Message-ID: <20190313113445.GX3785@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <5C81E2EE DOT 7020708 AT tlinx DOT org> <20190308121543 DOT GI3785 AT calimero DOT vinschen DOT de> <5C84EB7B DOT 70408 AT tlinx DOT org> <7a3eaccf-511a-b71f-7f99-45a9bef35b29 AT SystematicSw DOT ab DOT ca> <5C87D41E DOT 30702 AT tlinx DOT org> <20190312163617 DOT GJ3785 AT calimero DOT vinschen DOT de> <5C886976 DOT 30505 AT tlinx DOT org> <20190313091848 DOT GU3785 AT calimero DOT vinschen DOT de> <20190313093204 DOT GV3785 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="xLfTzkWEurH/gki3"
Content-Disposition: inline
In-Reply-To: <20190313093204.GV3785@calimero.vinschen.de>
User-Agent: Mutt/1.11.3 (2019-02-01)

--xLfTzkWEurH/gki3
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mar 13 10:32, Corinna Vinschen wrote:
> On Mar 13 10:18, Corinna Vinschen wrote:
> > On Mar 12 19:22, L A Walsh wrote:
> > > Hope this is ok...the original was in utf16, it's also all one line...
> >=20
> > No worries.
> >=20
> > > On 3/12/2019 9:36 AM, Corinna Vinschen wrote:
> > > > Can you please create an acl file like this:
> > > >=20
> > > > $ icacls default.nlaw-32 /save x.acl
> > > ---
> > > default.nlaw-32
> > > D:P(D;;SWRPWPDTRC;;;S-1-0-0)(A;;FA;;;S-1-5-21-33333-77777-33333-5013)=
(A;;0x1201ff;;;S-1-5-21-33333-77777-33333-201)(A;;0x1201ff;;;S-1-5-80-95600=
8885-3418522649-1831038044-1853292631-2271478464)(A;;0x1201ff;;;SY)(A;;0x12=
01ff;;;DA)(A;;0x1201ff;;;BA)(A;;0x1201ff;;;S-1-5-21-1885695451-752926663-11=
05222378-1015)(A;;0x120080;;;WD)S:AI(ML;OICIID;NW;;;HI)
> >=20
> > Thank you.  This allowed me to create a file with an equivalent DACL...
> > almost.
> >=20
> > The interesting thing here is that after ACL restoration the DACL has
> > all the entries as yours, in the same order, except that the=20
> >=20
> >   Mandatory Label\High Mandatory Level:(I)(OI)(CI)(NW)
> >=20
> > entry is not created.  I tried the same under the SYSTEM account and
> > it still silenty ignored the above entry.
> >=20
> > Given that the DACL is no problem for getfacl without this mandatory
> > label entry, I have to assume that this is what acl_to_text chokes on.
> >=20
> > The problem now is... how on earth can I create an ACL with this
> > entry?  The GUI does not allow to add it and icacls apparently
> > doesn't allow this either, even though it shows it nicely.
>=20
> Never mind, I managed to add a Mandatory label with
>=20
>   icacls filename /setintegritylevel '(CI)(OI)H'
>=20
> and I can now reproduce the "Invalid argument".

It turns out that this had nothing to do with mandatory labels.  The
real reason for the "Invalid argument" error message was that your
directory doesn't have inheritable entries, except for the mandatory
label.

The issue with mandatory labels is, they are not part of the DACL but of
the SACL.  So when Cygwin fetches the DACL to create the posix acl, it
doesn't even see the mandatory label, and the fact that the mandatory
label is inheritable doesn't matter.  Cygwin gets a DACL with no
inheritable entry.

And here's the problem:

Per POSIX, the normal acl (ACL_TYPE_ACCESS) and the inheritance acl
(ACL_TYPE_DEFAULT) are two separate lists.  So we have the
ACL_TYPE_ACCESS with 9 entries and the ACL_TYPE_DEFAULT with 0 entries.

And while empty ACL_TYPE_DEFAULT acls are valid per POSIX, the Cygwin
function creating the text representation for an acl didn't allow
empty acls.

I pushed a patch and uploaded new developer snapshots to
https://cygwin.com/snapshots/

Please try.


Thanks,
Corinna

--xLfTzkWEurH/gki3
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlyI6tUACgkQ9TYGna5E
T6CBCw//aJjOOPXeivZ5c1m9/TqIcM/SDtVn8DjNq5Zp1bMLw0HEwsqKOamQDQpo
eOn8ojxPQbT8qPpK2/I2RLSM2R77+akwA/bW9TvjI7uap6CrhODzIkAYm2aj6bJQ
Q1yTQeH/1kFNg/pKQbHBiJdDusJ6n8WV8HlF5W7EGEJ17SYTLzPujW8x6YC3pGD/
fCI3gImzCcsKTREfAybjCpSKKukoTgF4YH0h1rWlZovxyPu0rEnu/ji2gvvy0fFN
9gCqS/07aqVoMMggzF/v4Nqes5HMZcEMRhx5lcpOzuiCx5xsGxiNsc5Degl+rgEB
OF0qlUGTByYNDEprkQNp1UpBmMolUy3CMjYzZuQRuvlp1VNh1FQQrQDRDt9el2bm
G68O31OKVEUg63kX0Ej9yWLMk+SidVyzsv6oh+wx627wldna5mXmLIu3aUErWgyD
ZJ/kCbdMJDAqfpBPxrzK+b2hbIhuR9/nItkY82ezJh92r2qnXzO7EVj+/FAfFUaP
5MCAp59ahWy2rICVvq1o5IOlNoeBKFta1PdNCLQWavQ39+4GkZCzNN4vBjY7tHJO
gKRHvGX4jnWL81VOD17X1+29BCJaLki17RMZY5fyq7n+N6y3ZSczJ/nlr/5oXaqe
w5eYRZztaajELmx/Utu8ntGthvbxNSnDNGFQp7JostJx5JL9zKU=
=/ZOj
-----END PGP SIGNATURE-----

--xLfTzkWEurH/gki3--