[PATCH v2] cygwin: doc: Add keywords for ACE order issues

David Macek david.macek.0@gmail.com
Wed May 13 15:34:06 GMT 2020

Windows Explorer shows a warning with Cygwin-created DACLs, but putting
the text of the warning into Google doesn't lead to the relevant Cygwin
docs.  Let's copy the warning text into the docs in the hopes of helping
confused users.  Most of the credit for the wording belongs to Yaakov

Latest inquiry: <https://cygwin.com/pipermail/cygwin/2020-May/244814.html>

Signed-off-by: David Macek <david.macek.0@gmail.com>

I thought about the wording and there was one one advantage of the
clumsy variant -- anyone intending to modify the paragraph would
immediately know why the full message is there (in my opinion it
doesn't add much value for the reader).  In any case, here's the
variant with nicer wording (which I also like better).

 winsup/doc/ntsec.xml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/winsup/doc/ntsec.xml b/winsup/doc/ntsec.xml
index 08a33bdc6c..8644965349 100644
--- a/winsup/doc/ntsec.xml
+++ b/winsup/doc/ntsec.xml
@@ -2159,11 +2159,13 @@ will correctly deal with the ACL regardless of the order of allow and
 deny ACEs.  The second rule is not modified to get the ACEs in the
 preferred order.</para>
-<para>Unfortunately the security tab in the file properties dialog of
-the Windows Explorer insists to rearrange the order of the ACEs to
-canonical order before you can read them. Thank God, the sort order
-remains unchanged if one presses the Cancel button.  But don't even
-<emphasis role='bold'>think</emphasis> of pressing OK...</para>
+<para>Unfortunately, the security tab in the file properties dialog of
+the Windows Explorer will pop up a warning stating "The permissions on
+... are incorrectly ordered, which may cause some entries to be
+ineffective."  Pressing the Cancel button of the properties dialog
+fortunately leaves the sort order unchanged, but pressing OK will cause
+Explorer to canonicalize the order of the ACEs, thereby invalidating
+POSIX compatibility.</para>
 <para>Canonical ACLs are unable to reflect each possible combination
 of POSIX permissions. Example:</para>

More information about the Cygwin-patches mailing list