vi stealing SYSTEM-owned permissions and ownership

D. Boland daniel@boland.nl
Sat Nov 2 12:55:00 GMT 2013


Hi group,

I'm a Linux teacher at a school for vocational education in the Netherlands. 
I use Cyqwin to help my students overcome their fear of the command line by 
showing them their Windows systems through the eyes of Linux.

I had them install Apache and then configure it in Cygwin using vi.

As of Windows 8, the Apache installation sometimes fails, because of permission
issues. Installing "As administrator" solves the problem. This is fine 
with me because in other Linuxes, Apache is installed as root by default.

After installation, permissions in the Apache "conf" directory look like this:

drwx------+ 1 SYSTEM SYSTEM     0 28 okt 20:43 .
drwx------+ 1 SYSTEM SYSTEM     0  2 nov 13:10 ..
-rwx------+ 1 SYSTEM SYSTEM 35142 26 okt 18:07 httpd.conf
-rwx------+ 1 SYSTEM SYSTEM 34770  7 okt 23:29 httpd.default.conf
-rwx------+ 1 SYSTEM SYSTEM 13340  3 okt 07:59 magic
-rwx------+ 1 SYSTEM SYSTEM 13340 21 nov  2004 magic.default
-rwx------+ 1 SYSTEM SYSTEM 54599  3 okt 07:59 mime.types
-rwx------+ 1 SYSTEM SYSTEM 54599 17 mrt  2012 mime.types.default
-rwx------+ 1 SYSTEM SYSTEM  9390  5 feb  2013 openssl.cnf
-rwx------+ 1 SYSTEM SYSTEM 11050  3 okt 07:59 ssl.conf
-rwx------+ 1 SYSTEM SYSTEM 11030  7 okt 23:29 ssl.default.conf

To emulate the Unix permissions model, I had my students add a group in Windows,
named "apache", making themselves a member and then import it using the mkgroup 
command.

After a chgrp and chmod on the entire Apache folder, the "conf" directory looks 
like this:

drwxrwx---+ 1 SYSTEM apache     0 28 okt 20:43 .
drwxrwx---+ 1 SYSTEM apache     0  2 nov 13:10 ..
-rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf
-rwxrwx---+ 1 SYSTEM apache 34770  7 okt 23:29 httpd.default.conf
-rwxrwx---+ 1 SYSTEM apache 13340  3 okt 07:59 magic
-rwxrwx---+ 1 SYSTEM apache 13340 21 nov  2004 magic.default
-rwxrwx---+ 1 SYSTEM apache 54599  3 okt 07:59 mime.types
-rwxrwx---+ 1 SYSTEM apache 54599 17 mrt  2012 mime.types.default
-rwxrwx---+ 1 SYSTEM apache  9390  5 feb  2013 openssl.cnf
-rwxrwx---+ 1 SYSTEM apache 11050  3 okt 07:59 ssl.conf
-rwxrwx---+ 1 SYSTEM apache 11030  7 okt 23:29 ssl.default.conf

My students can now administer Apache without running Cygwin "As administrator".
Also, this is extremely useful in real-time business situations. It enables my 
students to grant Apache admin permissions to other users by putting them in 
the apache group, without giving them full admin access on the entire system.

But here's the problem. After editing the httpd.conf file with vi, the permissions 
on the "httpd.conf" file are changed to:

----------+ 1 Daniel None   35142  2 nov 13:20 httpd.conf

This should not be. I tested this on my RedHat and OpenBSD systems, and there are 
no changes in ownership or permissions after editing with vi.

After fiddling with chown, chgrp, chmod, getfacl, setfacl and icacl for a few 
hours, I finally installed nano. Nano behaved. It did not alter anything except
the contents of the file.

But I want my students to learn vi, so having them install nano is not an option. 

I think the problem is vi. Vi deletes the original file and creates a new one with
the changed contents, without resetting the original ownership and permissions. See 
also this post:

http://unix.stackexchange.com/questions/58880/how-does-vim-steal-root-owned-files

Can somebody shed some light on this?

Meanwhile, I accidentally found sort of a solution: deleting the file without write
permissions on the containing folder, restores the permissions set by Administrator.

As Administrator:
chmod 0700 .
touch test.txt
chown SYSTEM:apache test.txt
chmod 0770 test.txt

Results in:

-rwxrwx---+ 1 SYSTEM apache     0  2 nov 13:26 test.txt

As "normal" user:
Edit the file with vi. After, permissions will look like:

----------+ 1 Daniel None       9  2 nov 13:29 test.txt

$ getfacl.exe test.txt
# file: test.txt
# owner: Daniel
# group: None
user::---
group::---
group:SYSTEM:rwx
group:Administrators:rwx
group:Gebruikers:r-x
group:apache:rwx
mask:rwx
other:---

To "solve" this, simply delete the file:

rm test.txt

The file is not deleted because of 0700 on the containing folder. But the original 
permissions, set by Admin are restored!!

-rwxrwx---+ 1 SYSTEM apache     9  2 nov 13:29 test.txt

$ getfacl.exe test.txt
# file: test.txt
# owner: SYSTEM
# group: apache
user::rwx
group::rwx
group:Administrators:rwx
group:Gebruikers:r-x
mask:rwx
other:---


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list