[PATCH] Ensure that the default ACL contains the standard entries

Corinna Vinschen corinna-cygwin@cygwin.com
Wed Dec 15 18:47:00 GMT 2010

On Dec 14 22:22, Christian Franke wrote:
> Hi Corinna,
> Corinna Vinschen wrote:
> >Hi Christian,
> >
> >On Dec 10 23:05, Christian Franke wrote:
> >>The ACL from Cygwin always contains the three (USER|GROUP|OTHER)_OBJ
> >>entries. It might be existing practice elsewhere to return these
> >>entries also in the default ACL. The attached patch adds these
> >>entries with empty permissions if necessary.
> >>
> >>The patch would fix this rsync issue:
> >>http://cygwin.com/ml/cygwin/2010-11/msg00429.html
> >>
> >>The logic for DEF_CLASS_OBJ is unchanged.
> >
> >This looks good, except that the faked default entries for group and
> >other are set to 0.  That's rather unexpected. ...
> >
> >This is rather easy to fix (and you added comments in that place), ...
> New patch attached.

Thanks, applied.

> >I'm not entirely sure yet, but maybe the acl function should not
> >fake these default entries.  From my POV it seems a better approach
> >if acl(SETACL) actually creates these entries if *any* default entry
> >is in the incoming acl.  And, it should create these entries with
> >useful permission values.  This seems to reflect the Linux behaviour
> >much closer.  What do you think?
> AFIAK a minimal ACL must contain the three entries u/g/o which are
> equivalent to the mode permission bits. The default ACL has likely
> the same requirement.

Apparently yes.  I just tested this on Linux and Solaris.  On Linux
the missing entries are added with default values, on Solaris 10
you are required to enter at least the three default o/g/u entries,
otherwise setfacl prints an error message

 "Missing user/group owner, other, mask entry"

> If this is the case, then I would suggest to do both:
> 1. Fake these entries in acl(GETACL) if required. This would ensure
> that the default ACL is complete even if the Windows ACL was not
> created by Cygwin.
> 2. Create these entries in acl(SETACL) if required. This would
> ensure that the following reasonable requirement holds if the
> Windows ACL was created by Cygwin before:
> - "getfacl foo | setfacl -f - foo" should not change the (Windows)
> ACL of "foo".

Ok, fine with me.

> >   Would you implement this?
> Yes, but may take some time.

No worries.  We won't release 1.7.8 before January.

> >Btw., while testing your patch I found a bug in setfacl which disallowed
> >to delete user/group-specific default entries.  I opted for rewriting the
> >function which examines an incoming acl entry (getaclentry).  Would you
> >mind to test this bit, too?  The new code accepts a trailing colon, but
> >I think that's ok.  The SGI setfacl tool used on Linux is even more
> >relaxed syntax-wise and also accepts trailing colons.
> I've done a few test, looks good.

Thank you!

> An unrelated issue found during testing:
> mkdir() may duplicate Windows ACL entries. Testcase (German XP SP3):
> [...]
> Problem in security.cc:alloc_sd() ?

Indeed.  Thanks for the report.  I fixed that in CVS, hopefully.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

More information about the Cygwin-patches mailing list