Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT cygwin DOT com Delivered-To: mailing list cygwin-developers AT cygwin DOT com Date: Sat, 24 Aug 2002 15:00:24 -0400 From: Christopher Faylor To: cygwin-developers AT cygwin DOT com Subject: Re: acl_access denies access owned by 'Everyone' group Message-ID: <20020824190024.GA27153@redhat.com> Reply-To: cygwin-developers AT cygwin DOT com Mail-Followup-To: cygwin-developers AT cygwin DOT com References: <3D6665E2 DOT 92F8C445 AT ieee DOT org> <19113724867 DOT 20020823191251 AT logos-m DOT ru> <3D6665E2 DOT 92F8C445 AT ieee DOT org> <3 DOT 0 DOT 5 DOT 32 DOT 20020824122230 DOT 0081d160 AT h00207811519c DOT ne DOT client2 DOT attbi DOT com> <63212222920 DOT 20020824223431 AT logos-m DOT ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <63212222920.20020824223431@logos-m.ru> User-Agent: Mutt/1.3.23.1i On Sat, Aug 24, 2002 at 10:34:31PM +0400, egor duda wrote: >Hi! > >Saturday, 24 August, 2002 Pierre A. Humblet Pierre DOT Humblet AT ieee DOT org wrote: > >PAH> At 06:53 PM 8/24/2002 +0400, egor duda wrote: >>>Hi! >>> >>>Are you talking about nt->unix access rights mapping here? > >PAH> Yes. > >>>What if in this case we set permissions like this: >>>-abcxyzxyz user Everyone file_name >>> >PAH> I assume you are talking about mapping the nt ACL to unix >PAH> Makes sense, group = other. However the way the code is written, it will >PAH> interpret the ACL as -abcxyz--- because the Everyone ACL entry is >PAH> used up for group. With the change I proposed (I will send a patch), it >PAH> would be -abc---xyz, which would in fact be equivalent to -abcxyzxyz, as >PAH> Everyone is no more a valid group in the unix sense, so there is nobody >PAH> in Everyone ! > >Ah, ok. Actually, this should be enough for standard logic for checking of >access rights via access() or stat() to work. '-abc---xyz' may look a >little strange for an eye of an untrained unixoid who is using cygwin, >but it's probably ok. The main point of my concern is to maintain > >'File is accessible natively' iff 'File looks accessible from the >point of view of posix APIs' > >as strictly, as we can. Hmm. Interesting perspective when you read email all at once rather than when it comes in (I've been away). Two things come to mind when reading this thread: 1) Should we just be ignoring "Everyone" when we read /etc/group? Would that have "fixed" things here? 2) Would it be feasible to either extend cygcheck to perform some sanity checks on file accesses or to write another standalone utility that does so? Actually, now that I think of it, adding some additional logic to cygcheck to accommodate frequently seen problems in the cygwin mailing list would be a wonderful thing. This is a little more difficult than it may seem at first since, these days, cygcheck is not a cygwin program. However, it could be an interesting project for someone who is not currently a cygwin internals guru. You could make a huge difference to the cygwin community if you could add, say, checking for common problems when trying to run "cron" or something. >PAH> I am curious why it was decided to put the file in the Everyone group. > >:) It was purely by accident. I agree that this may be foolish, but >this doesn't mean we shouldn't be foolproof against this. I agree. cgf