This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: setfacl can kill a drive


On Apr  8 16:40, Steven Penny wrote:
> On Wed, Apr 8, 2015 at 5:17 AM, Steven Penny wrote:
> > I upgraded to the new Cygwin today, why is this command producing different
> > permissions? Moreover how do I get it to produce sane results?
> 
> I was able to use these command to produce sane results
> 
>     $ cd /cygdrive/c
> 
>     $ touch bad.txt
> 
>     $ setfacl -k .
> 
>     $ touch good.txt
> 
>     $ ls -l *.txt
>     -rw-rwxr--+ 1 John None 0 Apr  8 02:16 bad.txt
>     -rw-r--r--  1 John None 0 Apr  8 02:16 good.txt
> 
> I feel that the default permissions are wrong here. On linux when you
> create a new file with touch, it does not have executable permissions,

It's a result of ACL inheritance and before the changes to Cygwin's
ACL handling, you wouldn't even have seen it.

> for good reason.  This would be a security issue.

No, it's how ACL inheritence works on Windows, combined with the way the
group permissions reflect the ACL mask value per POSIX 1003.1e draft 17.
See, e.g, http://linux.die.net/man/5/acl, "Correspondence Between Acl
Entries And File Permission Bits".  Note that the group permission bits
are reflecting all additional permissions added to the file by Windows
ACL inheritance.  So it's actually a great help identifying security
issues.

The real issue here is, of course, the fact that the mask value is not
umask'ed at file creation time.  This is WIP I'm actually working on
right now.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpeqt2xrnvu8.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]