Necessary To Query SACL Information?

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Oct 13 08:07:00 GMT 2014


On Oct 12 20:37, Bryan Berns wrote:
> I noticed when I launch an executable, Cygwin queries SACL information
> on the executable (which I can see in Process Monitor as a
> 'QuerySecurityFile' operation).  On some of my protected file servers,
> this generates a failure audit.  Looking at the source code, I'm going
> to guess this might be from the NtQuerySecurityObject call in
> security.cc which requests SACL information by asking for for
> ALL_SECURITY_INFORMATION.  Does Cygwin really need to query this
> information? Aside from keeping my audit logs clean, it seems like it
> might be an opportunity for optimizing the executable launch process
> if Cygwin doesn't really need this (or some of the other information
> that ALL_SECURITY_INFORMATION provides).

As you found out yourself, Cygwin only reads and writes the owner/group
information and the DACL.  Accessing this information is required for
POSIX permission handling, e.g. stat(2), chmod(2), chown(2), acl(2).
Also, creating a file with open(2) requires to write the DACL to create
valid POSIX permissions for a file.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20141013/5506b251/attachment.sig>


More information about the Cygwin mailing list