cygwin permissions on folders creating problems for windows applications (like explorer, gvim)

Brian Inglis Brian.Inglis@SystematicSw.ab.ca
Wed Sep 9 17:08:08 GMT 2020 

On 2020-09-09 00:55, L A Walsh wrote:
> I was trying to edit files in
> /etc/ssh:
>   /etc/ssh> gvim sshd_config                                                      
>   Error: Current working directory has restricted permissions which render it     
>   inaccessible as Win32 working directory.                                        
>   Can't start native Windows application from here.                               
>   setsid: failed to execute gvim: Permission denied                               
> The files were owned by a domain account which is broken right now.
>   An Aside (I think)
>     (my workstation became unjoined after a windows update and the trust
>     between workstation+samba DC was broken.  Tried removing + re-adding
>     only to get:
>       The join operation was not successful.  This could be because an
>       existing computer account having name 'ANY' was previous
>       created using a different set of credential.  Use a different
>       computer name, or contact your administrator to remove any
>       stale conflicting account.  The error was Access is denied.
>     So far, I've been stymied on that front as well
>    End of aside
> The dir was owned by a domain account, so chowned it to a local account+
> group, and no effect.  Noticed an ACL on it from the + in ls.
> my lsacl script shows:
> /etc/ssh> lsacl .
> [u::rwx,u:Administrators_u:rwx,g::rwx,g:SYSTEM:rwx,g:Users:r-x,g:Authenticated Users:rwx,m::rwx,o::---/u::rwx,u:Administrators_u:rwx,g::rwx,g:SYSTEM:rwx,g:Users:r-x,g:Authenticated Users:rwx,m::rwx,o::r-x] .
> and getfacl shows:
> /etc/ssh> getfacl .
> # file: .
> # owner: Administrators_u
> # group: Administrators
> user::rwx
> user:Administrators_u:rwx
> group::rwx
> group:SYSTEM:rwx
> group:Users:r-x
> group:Authenticated Users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:Administrators_u:rwx
> default:group::rwx
> default:group:SYSTEM:rwx
> default:group:Users:r-x
> default:group:Authenticated Users:rwx
> default:mask::rwx
> default:other::r-x
> Looking in explorer I see
> a NULL SID with Deny of Traverse, Read ext attrs and perm, and del subfolders
> for the folder only.
> Authenticated users get denied for folder Create files/write data, 
> Create folders /append data, write attrs,  write ext.attrs, + delete subfolders+files
> Then they get some perms for folder+subfolds+files
> and a copy of the null sid denials...
> Explorer maintains that "The permissions on etc/ssh are incorrectly ordered
> which may cause some entries to be ineffective.  In order to change 
> any permissions, windows requires they be reordered.
> I've run into this stuff before with cygwin permissions being incompatible
> with windows permissions.  I've sort of ignored it for the most part as my 
> domain account generally had permissions to what I needed, but my local
> account hasn't had the same treatment.
> So I can reinstall new acls for the local equivalents of the domain
> accounts or I can try to figure out why cygwin has to use acls that
> are incompatible with windows applications -- and by incompatible, I 
> mean they won't start.
> Oddly enough Samba seems to be able to store cygwin Acls,
> in a way that doesn't seem to require a disabling of windows acls 
> nor linux acls.  I may be wrong, but I seem to have a feeling that
> this has to do with a decision to use Sun-ACL's in cygwin while
> Samba uses Posix ACLs.  Also, something I didn't understand is I
> seem to remember that something special had to be done to implement
> a primary group on the files -- yet, since Vista, MS has had a primary
> group on their files to support their POSIX subsystem.  Is that 
> currently being used?  If not, would it be possible?
> The group ID may not be figuring into how the cyg-acl's are very
> incompat with window's acl's, I dunno.
> But my main concern is not being able to start any windows apps in
> directories where cygwin has set the permissions as they seem to
> be incompatible.  Can these be made compatible?  If there is some
> behavior that would have to change in regards to how cygwin acls +
> permissions behave, could it be based off an environment variable --
> to use more compatible posix ACL's rather than sun ACL's?  
> I may be showing a great deal of ignorance, but it seems that cygwin
> is supposed to be a posix implementation -- wouldn't posix acls make
> more sense?

Cygwin used to support Sun ACLs but Corinna's patches changed those to POSIX
ACLs implemented using Windows ACLs, so Cygwin ACLs *ARE* legal Windows ACLs,
but those where Cygwin ACLs have to start with a NULL DENY ALL ACE do not
conform to Windows File Explorer's narrow minded view of what you should be
allowed to do with ACEs in ACLs, although nothing else within Windows complains,
including chkdsk, dism, scandisk, sfc scannow disk integrity tools, but many
Windows backup/restore utilities garble them!

If you have files with permissions equivalent to a+r,u+w,go-w ACL
u::rw-,g::r--,o::r-- or directories ACL
u::rwx,g::r-x,o::r-x,d:u::rwx,d:g::r-x,d:o::r-x or executables ACL
u::rwx,g::r-x,o::r-x with permissions equivalent to a+rx,u+w,go-w, just running
setfacl -b against *Cygwin* directories or files with those long ACLs will
normally reduce those to the minimum required e.g. [sanitized - use icalcs to
see real ACEs - *DO NOT MODIFY* non-Cygwin Windows directories and files used by
Windows programs]

$ lsp .bash_logout .bash_profile .ssh
-rwxr-xr-x 1 $USER None 293 Oct  9  2017 .bash_logout

# file: .bash_logout
# owner: $USER
# group: None
user::rwx
group::r-x
other::r-x

.bash_logout $HOSTNAME\$USER:(F)
             $HOSTNAME\None:(RX)
             Everyone:(RX)

Successfully processed 1 files; Failed processing 0 files

-rw-r--r-- 1 $USER None 6323 Dec  1  2019 .bash_profile

# file: .bash_profile
# owner: $USER
# group: None
user::rw-
group::r--
other::r--

.bash_profile $HOSTNAME\$USER:(R,W,D,WDAC,WO)
              $HOSTNAME\None:(R)
              Everyone:(R)

Successfully processed 1 files; Failed processing 0 files

drwx------+ 1 $USER None 0 Mar  8  2020 .ssh

# file: .ssh
# owner: $USER
# group: None
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::---

.ssh $HOSTNAME\$USER:(OI)(CI)(F)
     CREATOR OWNER:(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

[Among Windows File Explorer other lackings is also that it doesn't display file
time stamps before 1979-12-31 23:59:59+0000 - they show as blank - reported to MS.]

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]

lsp - list permissions - is just a hacky bash function that lets me check *ALL*
Cygwin permissions without thinking:

lsp ()
{
    local p o='-n'
    for p in "$@"
    do
        echo $o
	ls -adlL "$p" 		&& \
	echo 			&& \
	getfacl "$p" 		&& \
	icacls "$(cygpath -m ""$p"")"
        o=''
    done
}

More information about the Cygwin mailing list