[PATCH setup] Add new option --chown-admin

Christian Franke Christian.Franke@t-online.de
Wed Nov 30 18:49:57 GMT 2022

Jon Turney wrote:
> On 04/10/2022 13:05, Christian Franke wrote:
>> Jon Turney wrote:
>>> Corinna had some concerns about making the owner a group, rather 
>>> than a user, which I believe historically caused some difficulties 
>>> in Cygwin, so I think I'll need to understand that better before 
>>> making a decision about this change.
>> I see. Do you have any info about these difficulties?
>> Are these still relevant? If yes, let's forget this patch.
> After a bit of research, I think the issue was that if you make user 
> owner and group owner map onto the same Windows SID, certain unix 
> access permissions cannot be reversibly mapped onto a Windows ACL.
> (e.g you can't set the mode to 0600, because when you read that back, 
> it's mode is 0660. Some programs e.g ssh check for and require 0600 
> permission on some files)

No and yes.

No, a quick test shows that stat() returns what chmod() sets even in 
this case:

# for p in 600 640 660 644 664; do f=perm-$p &&
     touch $f && chown Administrators.Administrators $f &&
     chmod $p $f && ls -l $f
-rw------- 1 Administrators Administrators 0 Nov 30 18:39 perm-600
-rw-r----- 1 Administrators Administrators 0 Nov 30 18:39 perm-640
-rw-rw---- 1 Administrators Administrators 0 Nov 30 18:39 perm-660
-rw-r--r-- 1 Administrators Administrators 0 Nov 30 18:39 perm-644
-rw-rw-r-- 1 Administrators Administrators 0 Nov 30 18:39 perm-664

The above likely works due to some heuristic based on ACE order.

Yes, the effective permissions of 0600 are always the same as 0660 
because the first ACE is already for the group:

# icacls perm-\*
perm-600 BUILTIN\Administrators:(R,W,D,WDAC,WO)

perm-640 BUILTIN\Administrators:(R,W,D,WDAC,WO)

perm-644 BUILTIN\Administrators:(R,W,D,WDAC,WO)

perm-660 BUILTIN\Administrators:(R,W,D,WDAC,WO)

perm-664 BUILTIN\Administrators:(R,W,D,WDAC,WO)

(Tests done on German Windows and localized names renamed afterwards).

> This perhaps isn't terribly relevant to files created by setup

It may depend on how access checks are done by ssh etc.. (mode bits or 
effective permissions).

More information about the Cygwin-apps mailing list