Re: ACEs and ACLs

Mon, 18 Mar 2024 07:31:08 -0700

Thank you for the greatly needed assistance, but the reference to which you have pointed me says that noacl will be ignored in the case of ntfs file systems.  All of mine are and that has not changed, neither has the default entry in fstab, which seems always to have been: 

none /cygdrive cygdrive binary, posix=0, user 0 0

On 2024-03-18 04:41, Corinna Vinschen via Cygwin wrote:

On Mar 16 18:05, J. Terry Corbet via Cygwin wrote:

[...]
And here is the status that icacls reports back on the original, owning
workstation
after having use vim to modify the two files from that remote workstation.

FileExp.txt NULL SID:(DENY)(Rc,S,REA,WEA,X,DC)
             NW10\tcorbet:(DENY)(S,RD,WD,AD,REA,WEA,X,DC)
             NW10\tcorbet:(D,Rc,WDAC,WO,RA,WA)
             NW10\None:(Rc,S,RA)
             NT AUTHORITY\Authenticated Users:(RX,W)
             NT AUTHORITY\SYSTEM:(RX,W)
             BUILTIN\Administrators:(RX,W)
             BUILTIN\Users:(RX)
             Everyone:(Rc,S,RA)

vimtest.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
             NW10\tcorbet:(R,W,D,WDAC,WO)
             NW10\None:(DENY)(S,X)
             NT AUTHORITY\Authenticated Users:(DENY)(S,X)
             NT AUTHORITY\SYSTEM:(DENY)(S,X)
             BUILTIN\Administrators:(DENY)(S,X)
             BUILTIN\Users:(DENY)(S,X)
             NW10\None:(RX)
             NT AUTHORITY\Authenticated Users:(RX,W)
             NT AUTHORITY\SYSTEM:(RX,W)
             BUILTIN\Administrators:(RX,W)
             BUILTIN\Users:(RX)
             Everyone:(R)

If my understanding is correct concerning the precedence handling of an
ACL with multiple ACEs for the same user/ID, this result from grep
on the original, owning workstation would not surprise you:

F:\Dev\cygshoot>grep foo fileexp.txt
grep: fileexp.txt: Permission denied

but it blows me completely away.  Clearly I no longer have an environment
in which I can work on any file from any workstation using any Cygwin
utilities.

What have I messed up?

The problem is that your identity is based on the SID of every single
machine, and the machines don't know the SIDs of other machines.  The
default ACL created in Cygwin is emulating POSIX permissions.  This
becomes a problem when sharing files between machines not in the
same Windows domain.

The workaround is not to use POSIX permissions on shares.  Create
matching mount points in /etc/fstab or /etc/fstab.d/ and add the
"noacl" mount flag:

   https://cygwin.com/cygwin-ug-net/using.html#mount-table

Alternatively, you can also just add an fstab entry for the cygdrive
prefix which adds the "noacl" flag, see

   https://cygwin.com/cygwin-ug-net/using.html#cygdrive

but keep in mind that this also affects local paths if you access
them via the cygdrive prefix.


HTH,
Corinna



--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Reply via email to