Re: [TESTERS needed] New POSIX permission handling

Sat, 11 Apr 2015 09:28:01 -0700

I'm primarily a lurker, reading this list hoping things soak in a bit. So I may be off base on this.
In the table below, describing "NULL DENY access mask", looks like there's a typo concerning read/execute. (of course it might just be a windows mapping peculiarity that I really didn't want to know about ;-) 

-ernie

On 4/11/2015 3:07 AM, Corinna Vinschen wrote:

On Apr 11 11:40, Corinna Vinschen wrote:

On Apr 10 19:00, Steven Penny wrote:

On Fri, Apr 10, 2015 at 5:07 AM, Corinna Vinschen wrote:

Please give the new code a try.  I uploaded new 2015-04-10 developer
snapshots to https://cygwin.com/snapshots/

Here is the test I ran:

     $ cd /cygdrive/c

     $ touch ~/{alpha,bravo}.sh ~+/{charlie,delta}.sh

     $ chmod +x ~/bravo.sh ~+/delta.sh

     $ ls -l --color ~/{alpha,bravo}.sh ~+/{charlie,delta}.sh
     -rw-rw-r--+ 1 John None 0 Apr 10 16:51 /cygdrive/c/charlie.sh
     -rwxrwxr-x+ 1 John None 0 Apr 10 16:51 /cygdrive/c/delta.sh    (green)
     -rw-r--r--  1 John None 0 Apr 10 16:51 /home/John/alpha.sh
     -rwxrwxr-x  1 John None 0 Apr 10 16:51 /home/John/bravo.sh     (green)

So "charlie.sh" looks strange because it has that extra write permission.
However this is not a big deal for me. My concern was that everything was
showing up executable (green) when running "ls --color". So overall this is an
improvement, thanks.

What is '~+'?  Is that some weird bash feature?

Did you check the ACL?  The ACL before and after the change should
explain what happened.  Check it with getfacl *and* icacls to get
an idea what it looks like, and compare the result with the POSIX
ACL rules, as outlined on, e.g., http://linux.die.net/man/5/acl.

On second thought, what you need to know is what the NULL DENY ACE looks
like when looking at it in icacls.

The following bits in the NULL DENY access mask are used:

   Windows access    <->   POSIX access
   --------------          ------------
   FILE_READ_DATA          S_ISVTX
   FILE_WRITE_DATA         S_ISGID
   FILE_APPEND_DATA        S_ISUID

   FILE_READ_EA            MASK S_IXOTH  (POSIX execute perms)
   FILE_WRITE_EA           MASK S_IWOTH  (POSIX write perms)
   FILE_EXECUTE            MASK S_IROTH  (POSIX read perms)


Are read and execute swapped intentionally in the above?



   FILE_DELETE_CHILD       Set if MASK is valid

   READ_CONTROL            Set to mark this as a "new style" ACL.

   SYNCHRONIZE             Has no meaning, but icacls has a bug in
                           printing the access mask of DENY ACEs.

Same bits are used in the inheritable NULL DENY, but S_ISVTX and S_ISUID
should never be set, because they are not supposed to be inherited,


HTH,
Corinna




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple























					Reply via email to