group permissions

Thomas Wolff towo@towo.net
Mon Feb 9 20:20:00 GMT 2015


Am 09.02.2015 um 10:14 schrieb Corinna Vinschen:
> On Feb  9 00:03, Thomas Wolff wrote:
>> With 1.7.34-6:
>>> - the fixes in POSIX ACL handling and the effect this has on the standard
>>>      POSIX group permissions, as well as the accompanying new setfacl(1)
>>>      options -b/--remove-all and -k/--remove-default.
>>>
>>> Seehttps://cygwin.com/cygwin-ug-net/using-utils.html#setfacl
>>> andhttps://cygwin.com/faq.faq.html#faq.using.ssh-pubkey-stops-working
>>> andhttps://cygwin.com/faq.faq.html#faq.using.same-with-rhosts
>> Group permissions are now composed of multiple ACL entries, like:
>> -rw-rwx---+ 1 towo Domain Users   128 Feb  5 13:36 x
>> with ACL:
>> # file: x
>> # owner: towo
>> # group: Domain Users
>> user::rw-
>> group::r-x
>> group:SYSTEM:rwx
>> mask:rwx
>> other:---
>>
>> chmod g-wx does not work on x, only after setfacl -d group:SYSTEM x ,
>> the g-w bit is gone.  This is surprising behaviour (and has been
>> discussed in a specific context in another thread); the explanation is
>> hidden in only roughly related sections of the user guide (setfacl) or
>> even the FAQ, and is not found in the section Permissions and Security
>> where one would look first; I suggest to add an illustrative section
>> there.
> Yes, sure, why not.  Any idea for a patch?
>
>> However, I am not yet convinced that the explanation makes it less
>> surprising from a POSIX point of view because the file does not have
>> the group 'SYSTEM' which is responsible for the g+wx flags.  Maybe ls
>> -l should display a more permissive group (in the example case SYSTEM
>> rather than Domain Users) to give the user a hint? How is this handled
>> on other ACL systems? (I can check next week.)
> ls shows the primary group of the file and that's not going to change.
> The hint that more permissions are given is the '+' sign appened to the
> permission bits.
I checked on a Ubuntu system where behaviour is more intuitive by some 
functionally added by chmod; it implicitly modifies the “mask” entry to 
achieve exactly the effect most likely to be desired by chmod (showing 
only the group-relevant output lines of getfacl below):

Cygwin:

 > ls -l x; getfacl x
-rw-r--r-- 1 me Domain Users 0 Feb  9 15:04 x
group::r--

 > setfacl -m group:Users:rwx x
 > ls -l x; getfacl x
-rw-rwxr--+ 1 me Domain Users 0 Feb  9 15:04 x
group::r--
group:Users:rwx
mask:rwx

 > chmod g-wx x
 > ls -l x; getfacl x
-rw-rwxr--+ 1 me Domain Users 0 Feb  9 15:04 x
group::r--
group:Users:rwx
mask:rwx


Ubuntu:

 > ls -l x; getfacl x
-rw-r--r-- 1 xubuntu xubuntu 0 Feb  9 15:04 x
group::r--

 > setfacl -m group:adm:rwx x
 > ls -l x; getfacl x
-rw-rwxr--+ 1 xubuntu xubuntu 0 Feb  9 15:04 x
group::r--
group:adm:rwx
mask:rwx

 > chmod g-wx x
 > ls -l x; getfacl x
-rw-r--r--+ 1 xubuntu xubuntu 0 Feb  9 15:04 x
group::r--
group:adm:rwx                   #effective:r--
mask:r--


------
Thomas

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list