On Feb 10 11:48, Achim Gratz wrote: > Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes: > > Here's the problem: Windows doesn't support an ACL_MASK entry, nor > > anything even remotely resembling it. > > Right. And pretending that it does is doing more harm than good, IMHO. > > > o The other way to emulate writing an ACL_MASK entry would be to drop > > permissions from all groups and secondary users so they match the > > desired mask value. This is secure, but in contrast to the other > > solution it would change the secondary permissions permanently. > > Changing the mask back would not change the permissions of the > > secondary ACL entries back. > > Please note that that the typical user in a corporate environment has no > rights to do this on network shares and even if (s)he did, it would quite > often break things for other users and is certain to draw the ire of the > share administrators just as if you'd do the same thing via WIndows' own > tools. So please do not do this by default, there are just too many scripts > that blindly use some chmod somewhere. > > > o Cygwin could emulate the mask by adding an Access-denied ACE for the > > authenticated user SID (S-1-5-11) right after the primary group entry. > > The permission in this ACE are the x'or value of the permissions > > given in the mask. Such an ACL would basically look like this: > > Same issue as above, except it would be more easily reversible.
The permissions to change the ACL are not overly relevant here. The reason is, if the user has no permissions to write the DACL, it won't be able to chmod anyway. So, whatever we do to implement ACL_MASK, it's ok even in a corp env, because the user apparently has the right to change the DACL and thus it doesn't matter. > If anybody feels really strongly about these issues, they can always mount > "noacl". We'll just have to live with how Windows implements ACL otherwise. True. Noacl mounts are the way to go in case of what you describe, having no perms to write the DACL, even if the files are owned by the user. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgphUHF1wwT2i.pgp
Description: PGP signature
