X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6746C3860C3E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1603617608;
	bh=Tol3IIngvvgRwfTpaHMuu3v3Cn4YPHqULz7i3wXE6cI=;
	h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=QYsrumKmEbsyeIdTqH9CFis5Az5YbYZfv4Pqts7ZeHvRX/0Gj0Y65uxakbc1dfBh9
	 B+HHI0z+m0YUn1KEfsLZL2O3Ny5xuJhTJDWZQhxlrbxEX6y8F5x//tlcFkBObvF0IL
	 BvR0eAYrJGSC6BzVGYXPnXCPWFoB2msVkIqAQW8s=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 1F9303851C26
Date: Sun, 25 Oct 2020 12:19:40 +0300
X-Mailer: The Bat! (v6.8.8) Home
X-Priority: 3 (Normal)
Message-ID: <1689204445.20201025121940@yandex.ru>
To: Jim McNamara <nefariousscheme AT gmail DOT com>, cygwin AT cygwin DOT com
Subject: Re: Fwd: Objects in ACL cygwin win 10
In-Reply-To: <CAEMWCRtTYxhdFdPh9aQqrPU+o-4OoBzc_E6=gVOtYKK-OhkaRQ@mail.gmail.com>
References: <CAEMWCRsuDarNBBTOeB29fibz=Jt6zAg-brv_aejEQc7rOSeS2Q AT mail DOT gmail DOT com> 
 <3f0e071c-66c7-b6e8-f907-40a333872d07 AT SystematicSw DOT ab DOT ca>
 <CAEMWCRv-MeG88TbivmVFjFL10VpiQqWt7nq5zJ5KfQGho_puyg AT mail DOT gmail DOT com>
 <9c03f3ea-8989-5f93-41c4-4d832eaef94c AT cs DOT umass DOT edu>
 <CAEMWCRvrVGvfX_3yP7XF6SmNtFXd9UwQVahq1bRL1tazBbCibg AT mail DOT gmail DOT com>
 <CAEMWCRvNZkheRisrzx9v_fS3dphE0TzjMvFULYfWxD-RVGBwfw AT mail DOT gmail DOT com>
 <83773bf8-4ec6-d2ed-b2ba-37e64cc7dcc0 AT SystematicSw DOT ab DOT ca>
 <CAEMWCRtTYxhdFdPh9aQqrPU+o-4OoBzc_E6=gVOtYKK-OhkaRQ AT mail DOT gmail DOT com>
MIME-Version: 1.0
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, KAM_NUMSUBJECT,
 KAM_THEBAT, NICE_REPLY_A, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Andrey Repin via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Andrey Repin <anrdaemon AT yandex DOT ru>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces AT cygwin DOT com>

Greetings, Jim McNamara!

Please no top-posting in this list.


>> On 2020-10-23 21:49, Jim McNamara via Cygwin wrote:
>> > On Fri, Oct 23, 2020, 10:06 PM Eliot Moss wrote:
>>
>> >> I have to admit I am not 100% sure what you are asking, but I am careful
>> >> to grant SYSTEM access so
>> >> that my backup program can access and save a copy of virtually
>> everything
>>
>> > Thanks for you and Brian helping me.
>> > I used icacls cygwin /q /c /t reset
>>
>> You have to be very careful using icacls and other Windows commands with
>> Cygwin
>> ACLs as
>>
>> "ICACLS preserves the canonical ordering of ACE entries:
>>         Explicit denials
>>         Explicit grants
>>         Inherited denials
>>         Inherited grants"
>>
>> and Cygwin's POSIX ACLs may or may not obey this canonical order; Windows
>> File
>> Explorer often does not consider Cygwin ACLs in what it considers canonical
>> order and requires them to be reordered, which breaks the Cygwin
>> permissions.
>>
>> Ah, that "NT AUTHORITY/SYSTEM" SID, normally paired with
>> BUILTIN/Administrators,
>> as users, groups, or both:
>>
>> $ ls -dl /proc/cygdrive/c/Users/; echo; getfacl /proc/cygdrive/c/Users/;
>> echo;
>> icacls C:/Users/
>> drwxr-xr-x+ 1 SYSTEM SYSTEM 0 Apr 13  2020 /proc/cygdrive/c/Users/
>>
>> # file: /proc/cygdrive/c/Users/
>> # owner: SYSTEM
>> # group: SYSTEM
>> user::rwx
>> group::r-x
>> group:Administrators:rwx        #effective:r-x
>> group:Users:r-x
>> mask::r-x
>> other::r-x
>> default:user::rwx
>> default:group::---
>> default:group:Administrators:rwx        #effective:r-x
>> default:group:Users:r-x
>> default:mask::r-x
>> default:other::r-x
>>
>> C:/Users/ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
>>           BUILTIN\Administrators:(OI)(CI)(F)
>>           BUILTIN\Users:(RX)
>>           BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
>>           Everyone:(RX)
>>           Everyone:(OI)(CI)(IO)(GR,GE)
>>
>> Successfully processed 1 files; Failed processing 0 files
>>

> Yes, I see now what you are saying. Didn't know why it behaves like that.
> Do you reccomend:

> A. Noacl option  in fstab
> B. Reinstall and leave icacls in windows alone so I can deploy in future
> with runtime

C. Reinstall Cygwin into a new directory (or backup the current one and
reinstall). Use noacl option for directories outside Cygwin tree (i.e.
/cygdrive).


-- 
With best regards,
Andrey Repin
Sunday, October 25, 2020 12:07:33

Sorry for my terrible english...

--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple