On Apr 1 15:21, Corinna Vinschen wrote: > Hi Eric, > > On Mar 23 20:28, Eric Blake wrote: > > POSIX also states that chmod(2) is > > supposed to disable any ACLs that allow alternate access. > > How long did you know that this is wrong in Cygwin? I was really > surprised to read that. Maybe you told me already and I ignored it. > One of the Cygwin patches in 2001 was to change the alloc_sd function so > that unrelated ACEs are not touched when changing the ACEs reflecting > the standard file permission bits. It never occured to any of us that > this might be wrong. Oh well. I'll look into changing that for 1.7.0.
Erm... hang on. I just tested this on Linux: $ touch xxx $ getfacl xxx # file: xxx # owner: corinna # group: users user::rw- group::r-- mask::r-- other::r-- $ setfacl -m u:nobody:r-- xxx $ getfacl xxx # file: xxx # owner: corinna # group: users user::rw- user:nobody:r-- group::r-- mask::r-- other::r-- $ chmod 666 xxx $ getfacl xxx # file: xxx # owner: corinna # group: users user::rw- user:nobody:r-- group::r-- mask::rw- other::rw- This looks like what we do on Cygwin, too. Shouldn't the "nobody" entry disappear when calling chmod? That's how I understand the statement in the POSIX docs: "An alternate file access control mechanism shall [...] be disabled for a file after the file permission bits are changed for that file with chmod( ). The disabling of the alternate mechanism need not disable any additional mechanisms supported by an implementation." Either the ACLs of a file are not an "alternate" access mechanism, but an "additional" access mechanism. But that doesn't match the description either: "An additional access control mechanism shall only further restrict the access permissions defined by the file permission bits." Or, Linux doesn't follow POSIX here, which seems unlikely to me. Or, I completly misunderstand what the above quote means. Any comment? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
