On Feb 11 13:28, Eric Blake wrote: > On 02/10/2015 02:21 AM, Corinna Vinschen wrote: > > o The other way to emulate writing an ACL_MASK entry would be to drop > > permissions from all groups and secondary users so they match the > > desired mask value. This is secure, but in contrast to the other > > solution it would change the secondary permissions permanently. > > Changing the mask back would not change the permissions of the > > secondary ACL entries back. > > Possible enhancement on this idea (I have no clue if it would actually > work, though): > > When rewriting ACE entries because of the just-added restrictive > ACL_MASK, put in some marker that mimics the default deny-all action, > then additional entries in the tail of the ACE list that shows the > pre-modified permissions that we just took away due to the mask. If we > later loosen the mask, we can use the tail of entries to restore > original permissions. And since the tail occurs after a catch-all deny, > they won't grant permissions in the meantime. The trick then becomes > telling when we have stuck our marker in place to represent that we have > injected tail entries to reflect the state to restore if ACL_MASK is > relaxed.
I see what you're up to. Right now I'm just a bit side-tracked because I had an inspiration how it should be possible to avoid the reported "slow startup" problem due to slow LDAP conncetions to the DC. After that I'll return to the matter and peruse your idea. In the meantime I also realized that the way Cygwin reads and creates the file ACLs in two different sets of functions (one for stat/chmod, the other for acl(GETACl)/acl(SETACL)) is a rather bad idea. I think I'll take the opportunity to revamp the ACL handling completely to unify the calls into a single implementation with consistent results. Ideally the result is more POSIXy than today. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgp2PpEsL2lPC.pgp
Description: PGP signature
