On Aug 28 11:55, Corinna Vinschen wrote: > On Aug 28 07:25, Achim Gratz wrote: > > As a concrete example, in the following the directory x86 shows up on Cygwin > > as follows: > > > > > getfacl x86 > > # file: x86 > > # owner: otheruser > > # group: Domain Users > > user::--- > > group::--- > > group:FilerAdmins:rwx > > group:ShareOwners:rwx > > mask:rwx > > other:--- > > default:user::--- > > default:group::--- > > default:group:FilerAdmins:rwx > > default:group:ShareOwners:rwx > > default:mask:rwx > > default:other:--- > > > ls -ld x86 > > d---------+ 1 otheruser Domain Users 0 Jun 23 14:09 x86/ > > > > Under Linux in the same situation you'd get > > > > > ls -ld x86 > > d---rwx---+ 1 otheruser Domain Users 0 Jun 23 14:09 x86/ > > > > instead (i.e. the mask bits shown in the group portion of the standard mode > > flags). If the file was owned by your uid, then you'd get indeed > > > > > ls -ld x86 > > d---------+ 1 myself Domain Users 0 Jun 23 14:09 x86/ > > > > but you'd also really have no permissions. On Windows you do have > > permission to the file in that situation since the POSIX part of the ACL > > (particularly the user::--- part that revokes all access for the file owner) > > are faked by Cygwin and not taken into account when the file gets finally > > accessed: > > > > > icacls x86 > > x86 DOM\FilerAdmins:(I)(OI)(IO)(F) > > DOM\FilerAdmins:(I)(CI)(F) > > DOM\ShareOwners:(I)(OI)(IO)(M) > > DOM\ShareOwners:(I)(CI)(M) > > > > If getting at the correct mask is too expensive, simply always faking an > > "rwx" mask might actually be better than what we have now, since once the > > ACL are fully processed you'll get the correct permissions anyway. > > Handling of the CLASS object (aka "mask") has never been fully > implemented, especially because there's no such thing as a CLASS object > in a Windows ACL. > > I guess it will always be some fake, but, yes, we can try to change > stat() so that the st_mode group permissions reflect the or'ed bits of > all permissions given to non-primary users and groups. Same in acl(2). > That might be useful.
I implemented this preliminary and uploaded a snapshot to https://cygwin.com/snapshots/ "Preliminary", because this change introduces an API change: Since the CLASS_OBJ and DEF_CLASS_OBJ entries only exist if secondary user and group (default) entries exist, that means the default permission entry only consists of 3 ACEs. This in turn means, the constant MIN_ACL_ENTRIES changed from 4 to 3. This might negatively affect coreutils, at least `ls', even though in my local testing it looked all normal. Please test. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgpfJAadC7Sk0.pgp
Description: PGP signature
