This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: group permissions


On Feb 11 13:28, Eric Blake wrote:
> On 02/10/2015 02:21 AM, Corinna Vinschen wrote:
> > o The other way to emulate writing an ACL_MASK entry would be to drop
> >   permissions from all groups and secondary users so they match the
> >   desired mask value.  This is secure, but in contrast to the other
> >   solution it would change the secondary permissions permanently.
> >   Changing the mask back would not change the permissions of the
> >   secondary ACL entries back.
> 
> Possible enhancement on this idea (I have no clue if it would actually
> work, though):
> 
> When rewriting ACE entries because of the just-added restrictive
> ACL_MASK, put in some marker that mimics the default deny-all action,
> then additional entries in the tail of the ACE list that shows the
> pre-modified permissions that we just took away due to the mask.  If we
> later loosen the mask, we can use the tail of entries to restore
> original permissions.  And since the tail occurs after a catch-all deny,
> they won't grant permissions in the meantime.  The trick then becomes
> telling when we have stuck our marker in place to represent that we have
> injected tail entries to reflect the state to restore if ACL_MASK is
> relaxed.

I see what you're up to.  Right now I'm just a bit side-tracked because
I had an inspiration how it should be possible to avoid the reported
"slow startup" problem due to slow LDAP conncetions to the DC.  After
that I'll return to the matter and peruse your idea.

In the meantime I also realized that the way Cygwin reads and creates
the file ACLs in two different sets of functions (one for stat/chmod,
the other for acl(GETACl)/acl(SETACL)) is a rather bad idea.

I think I'll take the opportunity to revamp the ACL handling completely
to unify the calls into a single implementation with consistent results.
Ideally the result is more POSIXy than today.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpLQHEAOpwNw.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]