This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

full control for non owner and resulting 'cp' created file perms

From: cygzw at trodman dot com (Tom Rodman)
To: cygwin at cygwin dot com
Date: Sat, 01 Mar 2008 15:02:07 -0600
Subject: full control for non owner and resulting 'cp' created file perms
Reply-to: cygwin at cygwin dot com

The file "zam" below has slightly unusual windows permissions -
it does not inherit from it's parent dir, the owner of the
file has no ACES, another user "staffuser1" has full control.

  run:

    cp zam zam-cp

  then:

    "staffuser1" can 'cat' zam-cp, but 'cmd /c type zam-cp' fails, is that
    a bug?

    If you look at the rights on zam-cp (search ahead for "dacl zam-cp")
    I do not see how cygwin 'cat' is able to read 'zam-cp' at all,
    which "allow permission" accounts for this?

--
*thanks*,
Tom

# -------------------------------------------------------------------- 
# two examples of puzzling 'cp' behavior, a fairly new cygwin, 
# and an old one  (resulting copy unreadable by 'cmd /c type')
# (shell sessions below both done logged in as "staffuser1")
# -------------------------------------------------------------------- 

  //OurHost_onw/d_drive/aut/cyg/tmp $ uname -a
  CYGWIN_NT-5.1 OurWorkStn00 1.5.24(0.156/4/2) 2007-01-31 10:57 i686 Cygwin
  //OurHost_onw/d_drive/aut/cyg/tmp $ dacl zam
  + setacl -on '\\OurHost_onw\d_drive\aut\cyg\tmp\zam' -ot file -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
  \\?\UNC\OurHost_onw\d_drive\aut\cyg\tmp\zam

     Owner: BUILTIN\Administrators

     Group: DOMxx1\Domain Users

     DACL(not_protected):
     DOMxx1\staffuser1   full   allow   no_inheritance
     NT AUTHORITY\SYSTEM   full   allow   no_inheritance


  SetACL finished successfully.
  + set +x
  //OurHost_onw/d_drive/aut/cyg/tmp $ cp zam zam-cp
  //OurHost_onw/d_drive/aut/cyg/tmp $ md5sum zam zam-cp
  69d61ec73a9426dba64bf17888794b6e *zam
  69d61ec73a9426dba64bf17888794b6e *zam-cp
  //OurHost_onw/d_drive/aut/cyg/tmp $ head -2 zam-cp
  1
  2
  //OurHost_onw/d_drive/aut/cyg/tmp $ cmd /c type zam-cp
  Access is denied.
  //OurHost_onw/d_drive/aut/cyg/tmp $ dacl zam-cp
  + setacl -on '\\OurHost_onw\d_drive\aut\cyg\tmp\zam-cp' -ot file -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
  \\?\UNC\OurHost_onw\d_drive\aut\cyg\tmp\zam-cp

     Owner: BUILTIN\Administrators

     Group: DOMxx1\Domain Users

     DACL(protected):
     BUILTIN\Administrators   FILE_WRITE_EA+FILE_WRITE_ATTRIBUTES+READ_CONTROL+WRITE_OWNER+WRITE_DAC+DELETE   allow   no_inheritance
     DOMxx1\Domain Users   FILE_READ_EA+FILE_READ_ATTRIBUTES+READ_CONTROL   allow   no_inheritance
     Everyone   FILE_READ_EA+FILE_READ_ATTRIBUTES+READ_CONTROL   allow   no_inheritance


  SetACL finished successfully.
  + set +x
  //OurHost_onw/d_drive/aut/cyg/tmp $ 

  --SNIP/switch to another host, same instance of file, older cygwin:

  /tmp $ dacl zam
  + setacl -on 'd:\aut\cyg\tmp\zam' -ot file -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
  \\?\d:\aut\cyg\tmp\zam

     Owner: BUILTIN\Administrators

     Group: DOMxx1\Domain Users

     DACL(not_protected):
     DOMxx1\staffuser1   full   allow   no_inheritance
     NT AUTHORITY\SYSTEM   full   allow   no_inheritance


  SetACL finished successfully.
  + set +x
  /tmp $ head zam
  1
  2
  3
  4
  5
  6
  7
  8
  9
  10
  /tmp $ ls -l zam
  ----------+ 1 Administrators Domain Users 51 Mar  1 13:48 zam
  /tmp $ cp zam zam-cp
  /tmp $ cat zam-cp
  cat: zam-cp: Permission denied
  /tmp $ cmd /c type zam-cp
  Access is denied.
  /tmp $ dacl zam-cp
  + setacl -on 'd:\aut\cyg\tmp\zam-cp' -ot file -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
  \\?\d:\aut\cyg\tmp\zam-cp

     Owner: BUILTIN\Administrators

     Group: DOMxx1\Domain Users

     DACL(protected):
     BUILTIN\Administrators   FILE_WRITE_EA+FILE_WRITE_ATTRIBUTES+READ_CONTROL+WRITE_OWNER+WRITE_DAC+DELETE   allow   no_inheritance
     DOMxx1\Domain Users   FILE_READ_EA+FILE_READ_ATTRIBUTES+READ_CONTROL   allow   no_inheritance
     Everyone   FILE_READ_EA+FILE_READ_ATTRIBUTES+READ_CONTROL   allow   no_inheritance


  SetACL finished successfully.
  + set +x
  /tmp $ chmod +r zam-cp
  /tmp $ head zam-cp
  1
  2
  3
  4
  5
  6
  7
  8
  9
  10
  /tmp $ md5sum zam zam-cp
  69d61ec73a9426dba64bf17888794b6e *zam
  69d61ec73a9426dba64bf17888794b6e *zam-cp
  /tmp $ uname -a
  CYGWIN_NT-5.2 OurHost_onw 1.5.20s(0.155/4/2) 20060403 13:33:45 i686 Cygwin
  /tmp $ --

# -------------------------------------------------------------------- 
# how to create test case perms on file "zam"
# -------------------------------------------------------------------- 

  ME=$(id -un)

  seq 20 > zam
  chgrp "domain users" zam;echo y|cacls zam /g $ME:f system:f
  setacl -on "$(cygpath -aw zam)" -ot file -actn setowner -ownr "n:administrators"

  # setacl available here:
  #   http://sourceforge.net/project/showfiles.php?group_id=69165

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- Re: full control for non owner and resulting 'cp' created file perms
  - From: Brian Dessent

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]