This is the mail archive of the cygwin-apps@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: ITP: ProFTPD


> On Wed, May 14, 2003 at 11:41:33AM -0400, Bill C. Riemers wrote:
> > The main reason for the group ownership None, is some software packages
> > complain if privileged directories or key files are group writable,
> > regardless of what group you choice.  For example, sshd will complain
about
> > files in /etc, and directories /var/empty, /home/*, /home/*/.ssh .
>
> I don't understand that reasoning.  Sure the package complains.
> But how's that a rational to use None as group?!?

Very simple.  If a file has a group ownership, then you can not set special
permissions with ACL's for that group...

i.e.

   $ touch test1.txt test2.txt
   $ chown 18.544 test1.txt
   $ chown 18.513 test2.txt
   $ chmod 644 test1.txt test2.txt
   $ setfacl -m group:544:rw- test1.txt test2.txt
   $ ls -la test1.txt test2.txt
-rw-rw-r--    1 SYSTEM   Administ        0 May 15 10:04 test1.txt
-rw-r--r--+   1 SYSTEM   None            0 May 15 10:04 test2.txt

Both test1.txt and test2.txt have read and write permissions for
Administrators.  However, only test2.txt retains permissions 644.

Why is this neccissary?  For Unix, normally there is one and only one "root"
user, who has permissions to do everything, and is normally the user used to
run daemons.  For Windows, this "root" permissions get distributed among two
users, "SYSTEM", and "Administrator".  So even programs that expect they
should only have special permissions for "root", may need special
permissions for both these accounts.  Hense the use of ACL's.

Now you might ask why I don't use ACL permissions for group:SYSTEM and
ownership for Administrator instead?  The reason is I found on my Win2K
machine group:SYSTEM automatically
gets changed to user:SYSTEM, and user:Administrator automatically changes to
group:Administrators.  This doesn't happen under WindowsXP Home Edition, but
it might under WindowsXP Professional and WindowsNT.

Of course there are some real disadvantages to ACL's:
    1. There is no -R option for setfacl.
    2. There is no equivalent of "X" to setfacl.
    3. setfacl can not set sticky bits, so it is neccissary to use both
setfacl and chmod.
    4. You can not use the same ACL files for both directories and files
under Win2K.
    5. "cp -a", "tar", "cpio", etc. will not copy ACL's.
    6. The "default:" ACL entries are ignored.  As are the setuid and setgid
bits for directories.
    7. The chown and chgrp will clobber the ACL entries for the new owner
and group.  i.e.
          $ touch test.txt
          $ chown SYSTEM.None test.txt
          $ chmod 644 test.txt
          $ setfacl -m group:Administrators:rw- test.txt
          $ echo "hi" > test.txt
          $ chgrp Administrators test.txt
          $ echo "bye" > test.txt
          bash: test.txt: Permission denied
Most of these limitations are a result of the way Windows works, and are
better than the alternatives.

                                               Bill



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]