This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: group permissions


Am 09.02.2015 um 10:14 schrieb Corinna Vinschen:
On Feb  9 00:03, Thomas Wolff wrote:
With 1.7.34-6:
- the fixes in POSIX ACL handling and the effect this has on the standard
     POSIX group permissions, as well as the accompanying new setfacl(1)
     options -b/--remove-all and -k/--remove-default.

Seehttps://cygwin.com/cygwin-ug-net/using-utils.html#setfacl
andhttps://cygwin.com/faq.faq.html#faq.using.ssh-pubkey-stops-working
andhttps://cygwin.com/faq.faq.html#faq.using.same-with-rhosts
Group permissions are now composed of multiple ACL entries, like:
-rw-rwx---+ 1 towo Domain Users   128 Feb  5 13:36 x
with ACL:
# file: x
# owner: towo
# group: Domain Users
user::rw-
group::r-x
group:SYSTEM:rwx
mask:rwx
other:---

chmod g-wx does not work on x, only after setfacl -d group:SYSTEM x ,
the g-w bit is gone.  This is surprising behaviour (and has been
discussed in a specific context in another thread); the explanation is
hidden in only roughly related sections of the user guide (setfacl) or
even the FAQ, and is not found in the section Permissions and Security
where one would look first; I suggest to add an illustrative section
there.
Yes, sure, why not.  Any idea for a patch?

However, I am not yet convinced that the explanation makes it less
surprising from a POSIX point of view because the file does not have
the group 'SYSTEM' which is responsible for the g+wx flags.  Maybe ls
-l should display a more permissive group (in the example case SYSTEM
rather than Domain Users) to give the user a hint? How is this handled
on other ACL systems? (I can check next week.)
ls shows the primary group of the file and that's not going to change.
The hint that more permissions are given is the '+' sign appened to the
permission bits.
I checked on a Ubuntu system where behaviour is more intuitive by some functionally added by chmod; it implicitly modifies the âmaskâ entry to achieve exactly the effect most likely to be desired by chmod (showing only the group-relevant output lines of getfacl below):

Cygwin:

> ls -l x; getfacl x
-rw-r--r-- 1 me Domain Users 0 Feb  9 15:04 x
group::r--

> setfacl -m group:Users:rwx x
> ls -l x; getfacl x
-rw-rwxr--+ 1 me Domain Users 0 Feb  9 15:04 x
group::r--
group:Users:rwx
mask:rwx

> chmod g-wx x
> ls -l x; getfacl x
-rw-rwxr--+ 1 me Domain Users 0 Feb  9 15:04 x
group::r--
group:Users:rwx
mask:rwx


Ubuntu:

> ls -l x; getfacl x
-rw-r--r-- 1 xubuntu xubuntu 0 Feb  9 15:04 x
group::r--

> setfacl -m group:adm:rwx x
> ls -l x; getfacl x
-rw-rwxr--+ 1 xubuntu xubuntu 0 Feb  9 15:04 x
group::r--
group:adm:rwx
mask:rwx

> chmod g-wx x
> ls -l x; getfacl x
-rw-r--r--+ 1 xubuntu xubuntu 0 Feb  9 15:04 x
group::r--
group:adm:rwx                   #effective:r--
mask:r--


------
Thomas

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]