Group Permissions on root folders problem (Windows 10 TP build 10061)

David A Cobb superbiskit@cox.net
Thu Sep 10 20:41:00 GMT 2015


On 2015-09-10 12:07, Ken Brown wrote:
> On 9/10/2015 11:49 AM, David A Cobb wrote:
>> On a Windows-10 host: when I use Cygwin *chown***or *chmod *to make
>> permission changes, the next time I access the folder-tree from Windows
>> Explorer Security tab, it complains that the Access Control List is
>> incorrectly ordered and that will cause undesirable results; happy to
>> say, it gives me the chance to re-order the ACL.  The usual undesirable
>> result is that an app can create a folder /New/ within /T/ but cannot
>> create anything within /T/////New/.
<SNIP />
>> This is explained in the Cygwin User's Guide:
>
>   https:/cygwin.com/cygwin-ug-net/ntsec.html#ntsec-files
>
> Ken
>
OK, but where the UG says:
<QUOTE >
   * All access denied ACEs *should* precede any access allowed ACE. ACLs
     following this rule are called "canonical".

Note that the last rule is a preference or a definition of correctness. 
It's not an absolute requirement. All Windows kernels will correctly 
deal with the ACL regardless of the order of allow and deny ACEs. The 
second rule is not modified to get the ACEs in the preferred order.

Unfortunately the security tab in the file properties dialog of the 
Windows Explorer insists to rearrange the order of the ACEs to canonical 
order before you can read them. Thank God, the sort order remains 
unchanged if one presses the Cancel button. But don't even *think* of 
pressing OK...
</QUOTE>

What I'm seeing suggests that the statement of Windows (really NTFS?) 
"correctly dealing with this" is no longer correct.  What is more, if I 
do /not/ allow Windows to reorder the rules to its own liking, I cannot 
correct the symptom described about not being able to access files 
within "/New/".

It's all very well to say "don't even think of pressing OK," but IMNSHO 
Cygwin should /_never_/ allow a user to create a situation which is so 
unacceptable to Windows.  It would be better to tell the user "I'm 
sorry, Dave, I'm not able to do that." [Correct quote from Hal of '2001' 
forgotten].  I know that not all settings allowed in POSIX can be 
represented -- so refuse to try setting the things that cannot be 
represented.

I wouldn't mind mounting everything as "noacl," but would that not 
disable even the limited permission settings we can represent?




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list