Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT cygwin DOT com>
List-Help: <mailto:cygwin-developers-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-developers AT cygwin DOT com
Message-ID: <3D6665E2.92F8C445@ieee.org>
Date: Fri, 23 Aug 2002 12:42:10 -0400
From: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
X-Accept-Language: en,pdf
MIME-Version: 1.0
To: egor duda <cygwin-developers AT cygwin DOT com>
Subject: Re: acl_access denies access owned by 'Everyone' group
References: <19113724867 DOT 20020823191251 AT logos-m DOT ru>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

egor duda wrote:
> 
> Hi!
> 
>   Disclaimer: I have checked this only with cvs version, but
> downloading the latest release now to verify things with it.
> 
> I have a file:
> 
> $ ls -la /usr/lib/gcc-lib/i686-pc-cygwin/3.2/specs
> $ -rw-r-----   1 duda_adm Everyone     7163 Aug 17 22:41 /usr/lib/gcc-lib/i686-pc-cygwin/3.2/specs
> $ getfacl /usr/lib/gcc-lib/i686-pc-cygwin/3.2/specs
> # file: /usr/lib/gcc-lib/i686-pc-cygwin/3.2/specs
> # owner: 1291
> # group: 0
> user::rw-
> group::r--
> mask::r--
> other::---
> $ grep Everyone /etc/group
> Everyone:S-1-1-0:0:duda,duda_admin
> 
> It's owned by different user (i'm currently logged on as 'duda'), but
> 'r' right to Everyone group which i belong to should give me the right
> to access the file.
> 
> running gcc, though, shows this in strace
> 
>    74  213690 [main] gcc 327 path_conv::check: root_dir(e:\), this->path(e:\unix\usr\lib\gcc-lib\i686-pc-cygwin\3.2\specs), set_has_acls(8)
>    75  213765 [main] gcc 327 read_sd: file = e:\unix\usr\lib\gcc-lib\i686-pc-cygwin\3.2\specs
>   145  213910 [main] gcc 327 read_sd: file = e:\unix\usr\lib\gcc-lib\i686-pc-cygwin\3.2\specs: len=0
>   147  214057 [main] gcc 327 getacl: 4 = getacl (e:\unix\usr\lib\gcc-lib\i686-pc-cygwin\3.2\specs)
>   383  214440 [main] gcc 327 __set_errno: int acl_access(const char*, int):458 val 13
> 
> and gcc ignores this file and tries to look for specs further.
> 
> Is it an error in my setup or something wrong with recent ntsec
> changes, which, i saw, affected handling of Everyone group?
> 
> If time allows, i'll certainly try to debug this further.
> 
> egor.            mailto:deo AT logos-m DOT ru icq 5165414 fidonet 2:5020/496.19

I believe it's caused by recent ntsec changes that do no include the Everyone
group in the list of groups you belong to (everybody is automatically in the
Everyone group, it's not a matter of choice). Parenthentically, the entry
in /etc/group is not taken into account by Cygwin (except when you setuid to
duda). Cygwin relies on the groups that Windows puts in your access token when
you log in.

But I also believe your setup is non-sensical. It makes no sense to have a
file in the Everyone group. Everyone is already used in the file ACL to
record access rights for "other". If the group is Everyone, there is no
way to distinguish between "group" rights and "other" rights. Note that 
as a side effect "other" is shown as having no access to the file. 
See my recent e-mail in the cygwin-patches list.

Because of the impossibility to distinguish between "group" and "other" access
in such a case, there is no way to handle the situation "correctly". 
To err in the direction of non rejecting access in typical cases, the lines 
(around 320 in sec_acl.cc)
 else if (ace_sid == group_sid)
 <snip>
 else if (ace_sid == well_known_world_sid)
could be interchanged.

Pierre