This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Security Settings for directories created in Cygwin (+ executable bit on files)


On Aug 12 10:51, Kurt Franke wrote:
> Sebastien Vauban <sva-news@...> writes:
> > [...]
> > Asking Cygwin to stop playing with the Windows ACL, by mounting my
> > personal directories as "noacl"?  Well, that means I won't be able to
> > use `chmod' anymore, for setting a script file as "executable", then.
> > And I'll have to use a Windows tool to do so, such as `cacls'.
> ...
> 
> Hello,
> 
> there is a possibility to get bettter permission settings on files created
> by a windows program inside a directory created by cygwin.
> you must create special ACE's on this directory like in the following
> example with german names used in one of my scripts:
> 
> icacls "$dir" /remove ERSTELLER-BESITZER
> icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)'
> icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)'

That's "CREATOR OWNER" in english systems.

> icacls "$dir" /remove ERSTELLERGRUPPE
> icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)'
> icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)'
> icacls "$dir" /remove Jeder
> icacls "$dir" /grant 'Jeder:(RX)'
> icacls "$dir" /grant 'Jeder:(OI)(IO)(R)'
> icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)'

"CREATOR GROUP"

> It creates different Default ACE's for files an directories and these will
> be inherited correctly when using non-cygwin-windows programs. For
> dirctories the execute permission is inherited b ut for files it is not
> inherited.
> [...]
> To have those DEFAULT ACE's of general use for integration of cygwin and
> windows without always executing a script after creating a new directory in
> cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in
> cygwin directory creation also, not onle the simple ones.
> A drawback for this may be the fact the gefacl/setfacl utilities does not
> understand those ACE's and thus  don't show / don't set  it.

It complicates handling of default permissions in the acl system
calls a lot.  You'd have to handle two CREATOR OWNER ACEs as a single
"default:user" entry.  Same for "CREATOR GROUP".  I'm not saying this is
impossible to implement, just that it's a good amount of work.

http://cygwin.com/acronyms/#PGA


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpwS6N0YDUfQ.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]