This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Security Settings for directories created in Cygwin (+ executable bit on files)


Sebastien Vauban <sva-news@...> writes:

> Currently, whenever I create new files from Windows 8 executables (such
> as Notepad), they're often flagged as "executable", even for text files!
> 
> I've noticed that such a behavior happens when I create a new file in
> a directory that has been made FROM CYGWIN (`mkdir ~/test/', for
> example).
> 
> Indeed, the permissions of CYGWIN-CREATED DIRECTORIES seem very weird:
> 
> - "Inherited from"... "None"!
> 
> - "All Users" having "Read & Execute" permission on "this folder,
>   subfolders and FILES"...
> 
> IIUC, when creating a new file from Cygwin, the `umask' (022, in my
> case) is respected and new files are not executables then, except if
> I require it explicitly (via `chmod').
> 
> Though, when creating a new file from a Windows executable, Windows
> inherits permissions from the folder where my file gets created --
> hence, an executable permission if the directory was created from
> Cygwin...
> 
> How to correct that?
> 
> Asking Cygwin to stop playing with the Windows ACL, by mounting my
> personal directories as "noacl"?  Well, that means I won't be able to
> use `chmod' anymore, for setting a script file as "executable", then.
> And I'll have to use a Windows tool to do so, such as `cacls'.
...

Hello,

there is a possibility to get bettter permission settings on files created
by a windows program inside a directory created by cygwin.
you must create special ACE's on this directory like in the following
example with german names used in one of my scripts:

icacls "$dir" /remove ERSTELLER-BESITZER
icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)'
icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)'
icacls "$dir" /remove ERSTELLERGRUPPE
icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)'
icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)'
icacls "$dir" /remove Jeder
icacls "$dir" /grant 'Jeder:(RX)'
icacls "$dir" /grant 'Jeder:(OI)(IO)(R)'
icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)'

It creates different Default ACE's for files an directories and these will
be inherited correctly when using non-cygwin-windows programs. For
dirctories the execute permission is inherited b ut for files it is not
inherited.

In cygwin-programs the umask is used and executable flags are not requested
for files which are not executables where the compiler wil do this.

All works correctly in both windows-only programs and cygwin programs unless
creating a subdirectory by cygwin - this will not inherit those special
default ACE's to apply only to directories or only to files and thus this
behaviour is lost in a subdirectory created via cygwin.

On the other hand, in cygwin directory creation simple default ACE's which
are to be applied on all directories and files are inhereted to subdirectories.

Thus personally I use those special ACE's on directories only in the SVN
(windows program) tree created by checkout to avoid execute permissions on
files. when creating a new directory there which is generally done via
cygwin I add the listed ACE's via script.

To have those DEFAULT ACE's of general use for integration of cygwin and
windows without always executing a script after creating a new directory in
cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in
cygwin directory creation also, not onle the simple ones.
A drawback for this may be the fact the gefacl/setfacl utilities does not
understand those ACE's and thus  don't show / don't set  it.


regards

kf











--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]