Files created with CYGWIN have "NULL SID:(DENY)" windows ACL, inter alia

Andrey Repin anrdaemon@yandex.ru
Sun Dec 22 20:43:00 GMT 2019 

Greetings, Peter Binney!

> Creating a file using "> newfile", "icacls newfile" shows various DENY settings:

> newfile NULL SID:(DENY)(Rc,S,WEA,X,DC)
>         JCPR-DELL-3\peter:(R,W,D,WDAC,WO)
>         NT AUTHORITY\SYSTEM:(DENY)(S,X)
>         BUILTIN\Administrators:(DENY)(S,X)
>         BUILTIN\Users:(DENY)(S,X)
>         JCPR-DELL-3\None:(R)
>         NT AUTHORITY\SYSTEM:(RX,W)
>         BUILTIN\Administrators:(RX,W)
>         BUILTIN\Users:(RX,W)
>         Everyone:(R)

> Whereas on a file created from Windows Explorer I see:
> New Text Document.txt BUILTIN\Users:(I)(M)
>                       Everyone:(I)(RX)
>                       JCPR-DELL-3\peter:(I)(F)
>                       BUILTIN\Administrators:(I)(F)
>                       NT AUTHORITY\SYSTEM:(I)(F)

> "mkpasswd" and "mkgroup"

Please use getent

> both show I (user "peter") have expected
> entries in /etc/passwd and /etc/group (I attach both)

Delete both from your system, they are not needed, except for extremely rare
cases.

> Running "whoami" commands from powershell shows:

> PS E:\temp> whoami /groups

> GROUP INFORMATION
> -----------------
> Group Name                                                    Type
>         SID          Attributes
> =============================================================
> ================ ============
> ==================================================
> Everyone
> Well-known group S-1-1-0      Mandatory group, Enabled by default,
> Enabled group
> NT AUTHORITY\Local account and member of Administrators group
> Well-known group S-1-5-114    Group used for deny only
> BUILTIN\Administrators                                        Alias
>         S-1-5-32-544 Group used for deny only
> BUILTIN\Performance Log Users                                 Alias
>         S-1-5-32-559 Mandatory group, Enabled by default, Enabled
> group
> BUILTIN\Users                                                 Alias
>         S-1-5-32-545 Mandatory group, Enabled by default, Enabled
> group
> NT AUTHORITY\INTERACTIVE
> Well-known group S-1-5-4      Mandatory group, Enabled by default,
> Enabled group
> CONSOLE LOGON
> Well-known group S-1-2-1      Mandatory group, Enabled by default,
> Enabled group
> NT AUTHORITY\Authenticated Users
> Well-known group S-1-5-11     Mandatory group, Enabled by default,
> Enabled group
> NT AUTHORITY\This Organization
> Well-known group S-1-5-15     Mandatory group, Enabled by default,
> Enabled group
> NT AUTHORITY\Local account
> Well-known group S-1-5-113    Mandatory group, Enabled by default,
> Enabled group
> LOCAL
> Well-known group S-1-2-0      Mandatory group, Enabled by default,
> Enabled group
> NT AUTHORITY\NTLM Authentication
> Well-known group S-1-5-64-10  Mandatory group, Enabled by default,
> Enabled group
> Mandatory Label\Medium Mandatory Level                        Label
>         S-1-16-8192
> PS E:\temp> whoami
> jcpr-dell-3\peter
> PS E:\temp> whoami /user

> USER INFORMATION
> ----------------
> User Name         SID
> ================= =============================================
> jcpr-dell-3\peter S-1-5-21-1468824806-2062748802-729869357-100

> I also attach cygcheck.out

See my earlier message, I strongly suggest "noacl" mount option for
directories outside Cygwin root.
No windows program expects stupid access restrictions produces by basic POSIX
permissions.


-- 
With best regards,
Andrey Repin
Sunday, December 22, 2019 15:35:08

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list