Too Many Permissions Stripped In 1.7.35?

Corinna Vinschen corinna-cygwin@cygwin.com
Fri Feb 27 16:49:00 GMT 2015 

On Feb 27 13:19, Corinna Vinschen wrote:
> On Feb 27 09:57, Achim Gratz wrote:
> > Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > > Good point.  Right now the group permissions are == owner permissions in
> > > the case the owner and group are the same.  Maybe it would be better to
> > > remove all group permission bits if owner SID == group SID instead. 
> > 
> > I think that would be defendable since it is purely based on how Windows and
> > POSIX treat groups and users in different ways and not an artificial
> > exception that Cygwin makes on top of that.
> 
> Come to think of it, this would also drop the requirement to enforce
> primary group "Users" for the so-called "Microsoft Accounts", which have
> their own SID as group SID in the user token by default.
> 
> Hmm, I'm really warming up to this change...

Done.  I uploaded a snapshot and I'm contemplating to create a test
release for this change.

Warren, you're the unlucky guy of the day.  From our discussions in
the last days I know you're using a Microsoft account.  Can you please
give the latest snapshot from https://cygwin.com/snapshots/ a try?

When using it, you should now see your account also as group.  Creating
files should result in having user and group being the same, and if you
chmod the file, the group permissions should not reflect the user
permissions anymore:

  $ chmod 600 xxx
  $ ls -l xxx
  -rw------- 1 corinna corinna 0 Feb 27 10:40 xxx
  $ chmod 660 xxx
  $ ls -l xxx
  -rw------- 1 corinna corinna 0 Feb 27 10:40 xxx

Trip hazard 1:

  $ chmod 250 xxx
  $ ls -l xxx
  -rwx------ 1 corinna corinna 0 Feb 27 10:40 xxx

  The new permissions for your account are the sum of permissions you
  gave yourself as user and group:
  
    user 2 == -w-
    group 5 == r-x
    ==> combined 7 == rwx

Trip hazard 2:

  $ chmod 644 xxx
  $ ls -l xxx
  -rw-r--r-- 1 corinna corinna 0 Feb 27 10:40 xxx

  Funny, isn't it?  The group permissions are different from the user
  permissions even though both are the same account.  These are the
  "Everyone" permissions which penetrate into the group permissions due
  to the way the Windows ACL is evaluated:

  $ icacls xxx
  xxx VINSCHEN\corinna:(R,W,D,WDAC,WO)
      Everyone:(R)

  I didn't change that because it doesn't hurt.  The case has altered
  (sorry the pun) if "other" has permissions the owner doesn't have:

  $ chmod 601 xxx
  $ ls -l xxx
  -rw------x 1 corinna corinna 0 Feb 27 10:40 xxx
  $ icacls xxx
  xxx VINSCHEN\corinna:(DENY)(S,X)
      VINSCHEN\corinna:(R,W,D,WDAC,WO)
      Everyone:(Rc,S,X,RA)


I think that's really a good change.  It should help in security
conscious scenarios a lot.  It *may* break other scenarios, but
that should be rather unlikely or easy to fix.

Thanks for the idea "random user".  A name would be nice, though...


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20150227/2c1f8a41/attachment.sig>

More information about the Cygwin mailing list