X-Recipient: archive-cygwin AT delorie DOT com
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org D3A84398641F
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=tlinx.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=cygwin AT tlinx DOT org
Message-ID: <5F587C4E.5090007@tlinx.org>
Date: Tue, 08 Sep 2020 23:55:10 -0700
From: L A Walsh <cygwin AT tlinx DOT org>
User-Agent: Thunderbird
MIME-Version: 1.0
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject: cygwin permissions on folders creating problems for windows
 applications (like explorer, gvim)
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
 SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Cygwin" <cygwin-bounces AT cygwin DOT com>


I was trying to edit files in
/etc/ssh:

  /etc/ssh> gvim sshd_config                                                      
  Error: Current working directory has restricted permissions which render it     
  inaccessible as Win32 working directory.                                        
  Can't start native Windows application from here.                               
                                                                                 setsid: failed to execute gvim: Permission denied                               


 
The files were owned by a domain account which is broken right now.

  An Aside (I think)
    (my workstation became unjoined after a windows update and the trust
    between workstation+samba DC was broken.  Tried removing + re-adding
    only to get:

      The join operation was not successful.  This could be because an
      existing computer account having name 'ANY' was previous
      created using a different set of credential.  Use a different
      computer name, or contact your administrator to remove any
      stale conflicting account.  The error was Access is denied.

    So far, I've been stymied on that front as well
   End of aside

The dir was owned by a domain account, so chowned it to a local account+
group, and no effect.  Noticed an ACL on it from the + in ls.

my lsacl script shows:
/etc/ssh> lsacl .
[u::rwx,u:Administrators_u:rwx,g::rwx,g:SYSTEM:rwx,g:Users:r-x,g:Authenticated Users:rwx,m::rwx,o::---/u::rwx,u:Administrators_u:rwx,g::rwx,g:SYSTEM:rwx,g:Users:r-x,g:Authenticated Users:rwx,m::rwx,o::r-x] .

and getfacl shows:

/etc/ssh> getfacl .
# file: .
# owner: Administrators_u
# group: Administrators
user::rwx
user:Administrators_u:rwx
group::rwx
group:SYSTEM:rwx
group:Users:r-x
group:Authenticated Users:rwx
mask::rwx
other::---
default:user::rwx
default:user:Administrators_u:rwx
default:group::rwx
default:group:SYSTEM:rwx
default:group:Users:r-x
default:group:Authenticated Users:rwx
default:mask::rwx
default:other::r-x

Looking in explorer I see
a NULL SID with Deny of Traverse, Read ext attrs and perm, and del subfolders
for the folder only.
Authenticated users get denied for folder Create files/write data, 
Create folders /append data, write attrs,  write ext.attrs, + delete subfolders+files
Then they get some perms for folder+subfolds+files
and a copy of the null sid denials...

Explorer maintains that "The permissions on etc/ssh are incorrectly ordered
which may cause some entries to be ineffective.  In order to change 
any permissions, windows requires they be reordered.

I've run into this stuff before with cygwin permissions being incompatible
with windows permissions.  I've sort of ignored it for the most part as my 
domain account generally had permissions to what I needed, but my local
account hasn't had the same treatment.

So I can reinstall new acls for the local equivalents of the domain
accounts or I can try to figure out why cygwin has to use acls that
are incompatible with windows applications -- and by incompatible, I 
mean they won't start.

Oddly enough Samba seems to be able to store cygwin Acls,
in a way that doesn't seem to require a disabling of windows acls 
nor linux acls.  I may be wrong, but I seem to have a feeling that
this has to do with a decision to use Sun-ACL's in cygwin while
Samba uses Posix ACLs.  Also, something I didn't understand is I
seem to remember that something special had to be done to implement
a primary group on the files -- yet, since Vista, MS has had a primary
group on their files to support their POSIX subsystem.  Is that 
currently being used?  If not, would it be possible?

The group ID may not be figuring into how the cyg-acl's are very
incompat with window's acl's, I dunno.

But my main concern is not being able to start any windows apps in
directories where cygwin has set the permissions as they seem to
be incompatible.  Can these be made compatible?  If there is some
behavior that would have to change in regards to how cygwin acls +
permissions behave, could it be based off an environment variable --
to use more compatible posix ACL's rather than sun ACL's?  

I may be showing a great deal of ignorance, but it seems that cygwin
is supposed to be a posix implementation -- wouldn't posix acls make
more sense?

Thanks...
Linda






--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple