How to remove pesky persistent +x bits that chmod -x won't remove

Thu, 19 May 2016 18:03:07 -0700 

I think I have an ACL inheritance problem.  Here’s the scenario:

$ ls -l Protocol.md       ## Boo, bad permissions; shouldn’t be +x!
-rwxr--r--+ 1 Warren Warren 4.3K May 19 18:41 Protocol.md*

$ chmod -x Protocol.md
$ ls -l Protocol.md       ## Still +x!  Did I stutter?
-rwxr--r--+ 1 Warren Warren 4.3K May 19 18:41 Protocol.md*

$ icacls.exe Protocol.md  ## Okayyy…lots of X’s
Protocol.md NULL SID:(DENY)(Rc,S,X,DC)
            MOSSYMAZE\Warren:(R,W,D,WDAC,WO)
            MOSSYMAZE\Warren:(DENY)(S,X)
            NT AUTHORITY\SYSTEM:(DENY)(S,X)
            BUILTIN\Administrators:(DENY)(S,X)
            MOSSYMAZE\Warren:(RX)
            NT AUTHORITY\SYSTEM:(RX,W)
            BUILTIN\Administrators:(RX,W)
            Everyone:(R)

Successfully processed 1 files; Failed processing 0 files

$ icacls Protocol.md /reset  ## Nuke the X’s!
processed file: Protocol.md
Successfully processed 1 files; Failed processing 0 files

$ ls -l Protocol.md          ## Still +x!
-rwx---r-x+ 1 Warren Warren 4.3K May 19 18:41 Protocol.md*

$ chmod -x Protocol.md       ## Ah, *now* it will listen to me.
$ ls -l Protocol.md
-rw----r--+ 1 Warren Warren 4.3K May 19 18:41 Protocol.md

$ icacls.exe Protocol.md     ## Clear as mud
Protocol.md NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Administrators:(I)(F)
            MOSSYMAZE\Warren:(I)(F)
            Everyone:(I)(RX)



I assume this is happening because something farther up the directory tree 
keeps reapplying the +x bit to this file, but I can’t see what from the icacls 
output.  Is there a tool that will give me a tree view so I can see what’s 
applied at each level?  Failing that, do I just run icacls on every parent 
directory of this file?  And then what?  I don’t think I dare /reset all 
permissions clear back to the root.

This 2-step permission fix is getting old, because the bad permissions come 
back again every time something rewrites one of the affected files.

For what it’s worth, setfacl -bk followed by a chmod -x sometimes always fixes 
this.  I’m just using icacls above because its output seems clearer, probably 
because it’s NTFS-native, not reinterpreting everything through a POSIX lens.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply via email to