This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Issues with ACL settings after updating to the latest cygwin.dll - correction
- From: akikij at free dot fr
- To: cygwin at cygwin dot com
- Date: Fri, 4 Mar 2016 16:43:07 +0100 (CET)
- Subject: Issues with ACL settings after updating to the latest cygwin.dll - correction
- Authentication-results: sourceware.org; auth=none
Hi,
I have the different problems you have about this new security right NULL SID DENY added to some files.
Sometimes also Windows can't access files concerned.
He considered security rigths unordered and I have to class them before continue.
It's too difficult for me to help you to correct the problem.
I give only tracks to correct the effects to return to a clean situation.
I have a solution to list all files concerned in a directory tree:
#!/bin/bash
# List on stdout objects with DENY
if [ $# -eq 0 ] ; then echo "Usage $0 path" ; exit 1 ; fi
cd "$1" || { echo "Bad path" ; exit 1; }
find . |grep -v -E '^\.$|RECYCLE.BIN|RECYCLER|System Volume Information'|while read i
do #echo "$i"
1>&2 echo -en "$i\\r" #to see progression
j=$(cygpath "$i")
c=$(2>/dev/null cacls "$j" /L)
if [ $? -ne 0 ] ; then
s=$(file "$i"|grep 'symbolic link to')
if [ -z "$s" ] ; then echo "not found $j" ; fi
continue
fi
s=$(echo "$c"|grep -i 'NULL SID:(DENY)')
if [ ! -z "$s" ] ; then
echo "$c"
fi
done |tee /tmp/1
I use here /tmp/1 as buffer. I can edit it before to submit to the next solution.
It's more safe for the moment.
I have another solution to patch security items contained in this buffer (here /tmp/1)
#!/bin/bash
# Patch objects recognized having NULL SID right
# one to one - with icacls - exit at the 1st error
ws=/tmp/NULSID #root name for 2 temporary files, .org .new as suffixe
cat /tmp/1|grep '^.:'|while read -r i ; do
j=$(echo "$i"|sed 's/ NULL SID.*//')
echo " chg $j"
corg="$ws.org"
cnew="$ws.new"
icacls "$j" /save $(cygpath -w "$corg") || exit 1
#edit with null char temporary remplaced
cat "$corg"|tr '\0' 'Â'|sed -e '1 s/.*/.Â/' -e 's/(ÂD[^)]*)Â//g'|tr 'Â' '\0' > "$cnew"
icacls "$j" /restore $(cygpath -w "$cnew") || exit 1
done
This solution not complete is usable for me now. I find many pbs in cygwin system
(more than 3000 in /bin /lib ...)
I am not confident to leave this problem with ACLs. Some files are concerned, the others not.
I want a more deterministic function for the cygwin system.
May be an upgrade of all project datas is necessary before the use of these new acl functionnalities.
Sorry for my english
Regards
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple