DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org C6E0E38708A4
Date: Thu, 18 Jun 2020 11:15:36 -0500
To: "cygwin" <cygwin AT cygwin DOT com>
Subject: Is this a valid synopsis of Cygwin Permission Handling?
Mime-Version: 1.0
Message-ID: <449yFRqoK6976Set.1592496936@web12.cms.usa.net>
Z-USANET-MsgId: XID604yFRqPK9136X31
From: KARL BOTTS via Cygwin <cygwin AT cygwin DOT com>
Reply-To: KARL BOTTS <kdbotts AT usa DOT net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Cygwin" <cygwin-bounces AT cygwin DOT com>


I wrote the following to a colleague in a private chat channel. Colleague is
pure Windows: knows little of cygwin or Linux.  He helps me with hardware and
Windows.

We had gotten the WinExplorer dialog saying: "The permissions on volume I: are
incorrectly ordered, which may cause some entries to be ineffective." This was
after I had run, with cygwin, 'chmod -R 777 .' in the root of that drive.

I am not complaining, reporting a bug, or anything like that. I am only asking
the cygwin experts, whether my synopsis of cygwin permission handling, is
reasonably and logically correct.

Thanks.


#################

Karl Botts, [18.06.20 09:17]
On that dialog box: I must confess, you should know: I may have caused that,
by running in root of I: drive, aka in I:/  :

chmod -R 777 .

I did that _after_ screwing around with WinExplorer security dialogs. Was not
getting anywhere, so I tried the chmod out of desperation. Probably should not
have.

How cygwin works, with respect to permissions:

When the first cygwin1.dll is launched (one is being loaded into a process,
and no other is loaded), it queries from WinDomainController, all security
info it can get. Including SIDs, ACLs, practically everything. That
cygwin1.dll builds, in  shared memory private to cygwin, a database expressing
all that data, in Linux terms. That database emulates what a Linux kernel
reads from /etc/passwd, /etc/groups, more places, including other hosts.

All cygwin processes started as descendants of that first process, are passed
pointer to that DB in shm. (That DB is built just once.) (Remember, in
Linux/cygwin model, every process is a child of some other process.)
Thereafter, that DB is almost all a cygwin process knows about perms. I think,
occasionally, it may call to DomainController again, or to refresh, but tries
to avoid that, because is very slow. (If every cygwin process queried
DomainController, would be unacceptably slow.)

Problem is that emulation, Linux perms <==> Win perms, is not perfect.  A few
concepts in each, unknown to other.

In particular: in Win, the AccessControlEntries in an AccessControlList, must
be in a certain order, or the ACL is invalid. No such concept in Linux: all
orders valid. When ACL is invalid for that reason, WinExplorer is known to be
helpless, hence dialog above. Per cygwin mailing list, Win program
'icacls.exe' can straighten that out. But requires extreme complex commands to
icacls; has varied over time; me not know exactly how to do it. So I get
stuck.

What 'chmod -R 777 .' means is: Assign complete Read,Write,Execute perms, for
all of User,Group,Other, from current working dir (the .), recursively, all
the way down. To all files, all dirs, all everything.

Those concepts of 'complete' and 'all' and 'recursively all the way down', do
not map perfectly to Windows. It seems to refuse to believe that intent.
Somehow, some ACLs wind up in 'wrong ACE order' state. WinExplorer now
helpless: you get that dialog. Snafu.

I think I did that.


---
Karl Botts, kdbotts AT usa DOT net

--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple