Security Settings for directories created in Cygwin (+ executable bit on files)
Tue Aug 12 12:55:00 GMT 2014
On Aug 12 10:51, Kurt Franke wrote:
> Sebastien Vauban <sva-news@...> writes:
> > [...]
> > Asking Cygwin to stop playing with the Windows ACL, by mounting my
> > personal directories as "noacl"? Well, that means I won't be able to
> > use `chmod' anymore, for setting a script file as "executable", then.
> > And I'll have to use a Windows tool to do so, such as `cacls'.
> there is a possibility to get bettter permission settings on files created
> by a windows program inside a directory created by cygwin.
> you must create special ACE's on this directory like in the following
> example with german names used in one of my scripts:
> icacls "$dir" /remove ERSTELLER-BESITZER
> icacls "$dir" /grant 'ERSTELLER-BESITZER:(OI)(IO)(R,W,D,WDAC,WO)'
> icacls "$dir" /grant 'ERSTELLER-BESITZER:(CI)(IO)(F)'
That's "CREATOR OWNER" in english systems.
> icacls "$dir" /remove ERSTELLERGRUPPE
> icacls "$dir" /grant 'ERSTELLERGRUPPE:(OI)(IO)(R,W)'
> icacls "$dir" /grant 'ERSTELLERGRUPPE:(CI)(IO)(RX,W,DC)'
> icacls "$dir" /remove Jeder
> icacls "$dir" /grant 'Jeder:(RX)'
> icacls "$dir" /grant 'Jeder:(OI)(IO)(R)'
> icacls "$dir" /grant 'Jeder:(CI)(IO)(RX)'
> It creates different Default ACE's for files an directories and these will
> be inherited correctly when using non-cygwin-windows programs. For
> dirctories the execute permission is inherited b ut for files it is not
> To have those DEFAULT ACE's of general use for integration of cygwin and
> windows without always executing a script after creating a new directory in
> cygwin it would be necessary to inherit those none-simple DEFAULT ACE's in
> cygwin directory creation also, not onle the simple ones.
> A drawback for this may be the fact the gefacl/setfacl utilities does not
> understand those ACE's and thus don't show / don't set it.
It complicates handling of default permissions in the acl system
calls a lot. You'd have to handle two CREATOR OWNER ACEs as a single
"default:user" entry. Same for "CREATOR GROUP". I'm not saying this is
impossible to implement, just that it's a good amount of work.
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: not available
More information about the Cygwin