setfacl: root of all evil?

Houder houder@xs4all.nl
Mon Feb 16 14:50:00 GMT 2015 

Hi Corinna,

Yes, sorry, setfacl again ...

Now, I am NOT an expert on Windows (I do not want to be), and I realize, that I am in the company
of experts on Windows (on Windows ACL) here, so it is inevitable, that I will be out of my league
below, and speak "errorneously" about Windows ACL.

Nevertheless, the reason for my post is that setfacl FAILS, where chmod SUCCEEDS ...

Over the years (XP) my "Posix" trees (Cygwin) looked like this:

@@ uname -a
CYGWIN_NT-6.1-WOW Seven 1.7.35(0.286/5/3) 2015-02-12 20:59 i686 Cygwin

@@ mkdir T
@@ icacls T                        @@ getfacl T        @@ ls -ld T
T Seven\Henri:(F)                  # file: T           drwxr-xr-x+ 1 Henri None 0 ... T
  Seven\None:(RX)                  # owner: Henri
  Everyone:(RX)                    # group: None
  CREATOR OWNER:(OI)(CI)(IO)(F)    user::rwx
  CREATOR GROUP:(OI)(CI)(IO)(RX)   group::r-x
  Everyone:(OI)(CI)(IO)(RX)        other:r-x
                                   default:user::rwx
                                   default:group::r-x
                                   default:other:r-x

@@ touch T/aap
@@ icacls T/aap                    @@ getfacl T/aap    @@ ls -l T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)  # file: T/aap       -rw-r--r-- 1 Henri None 0 ... T/aap
      Seven\None:(R)               # owner: Henri
      Everyone:(R)                 # group: None
                                   user::rw-
                                   group::r--
                                   other:r--

@@ chmod 755 T/aap
@@ icacls T/aap                    @@ getfacl T/aap    @@ ls -l T/aap
T/aap Seven\Henri:(M,WDAC,WO)      # file: T/aap       -rwxr-xr-x 1 Henri None 0 ... T/aap
      Seven\None:(RX)              # owner: Henri
      Everyone:(RX)                # group: None
                                   user::rwx
                                   group::r-x
                                   other:r-x

This "standard" has served me well ... I did not have to fight with mkdir, chmod, etc ... And the
occasional Windows generated file did not fall "out of tune" too much.

Moreover, after extraction of a .zip file in one of my "Posix" directories, it was fairly easy to
reset the permissions of the extracted files (and directories), using setfacl.

Currently, using this procedure, setfacl fails ...

My investigation into the cause of this failure, eventually led me to simple test cases in which
setfacl fails, but where chmod succeeds.

(more details, if needed, in attached files)

Basically, setfacl removes "write attributes" from the file owner (where chmod does not).

(also: setfacl makes the creator owner loose rights -- in comparison to chmod)

RFC :-)

Henri

----- setfacl/file
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ setfacl -s u::r--,g::r--,o:r-- T/aap
@@ setfacl -s u::rw-,g::r--,o:r-- T/aap
setfacl: Permission denied
@@ chmod 644 T/aap
chmod: changing permissions of ‘T/aap’: Permission denied
@@ touch T/aap
touch: cannot touch ‘T/aap’: Permission denied
@@ rm T/aap
/bin/rm: remove write-protected regular empty file ‘T/aap’? y
@@ ls -l T/aap
ls: cannot access T/aap: No such file or directory
@@

----- chmod/file
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
      Seven\None:(R)
      Everyone:(R)

Successfully processed 1 files; Failed processing 0 files
@@ chmod u-w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here)
      Seven\None:(R)
      Everyone:(R)

Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
      Seven\None:(R)
      Everyone:(R)

Successfully processed 1 files; Failed processing 0 files
@@ touch aap
@@

----- setfacl/directory
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@ chmod 755 T
chmod: changing permissions of ‘T’: Permission denied
@@ rmdir T
@@ ls -ld T
ls: cannot access T: No such file or directory

----- chmod/directory
@@ pwd
/drv/e
@@ mkdir T
@@ chmod u-w T
@@ icacls T
T Seven\Henri:(RX,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here)
  Seven\None:(RX)
  Everyone:(RX)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  CREATOR GROUP:(OI)(CI)(IO)(RX)
  Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T
@@ icacls T
T Seven\Henri:(F)
  Seven\None:(RX)
  Everyone:(RX)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  CREATOR GROUP:(OI)(CI)(IO)(RX)
  Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files
@@

=====
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: run-setfacl-sucks-file.txt
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150216/2e137377/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: run-chmod-rocks-file.txt
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150216/2e137377/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: run-setfacl-sucks-directory.txt
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150216/2e137377/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: run-chmod-rocks-directory.txt
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150216/2e137377/attachment-0003.txt>
-------------- next part --------------
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list