This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

setfacl: root of all evil?


Hi Corinna,

Yes, sorry, setfacl again ...

Now, I am NOT an expert on Windows (I do not want to be), and I realize, that I am in the company
of experts on Windows (on Windows ACL) here, so it is inevitable, that I will be out of my league
below, and speak "errorneously" about Windows ACL.

Nevertheless, the reason for my post is that setfacl FAILS, where chmod SUCCEEDS ...

Over the years (XP) my "Posix" trees (Cygwin) looked like this:

@@ uname -a
CYGWIN_NT-6.1-WOW Seven 1.7.35(0.286/5/3) 2015-02-12 20:59 i686 Cygwin

@@ mkdir T
@@ icacls T                        @@ getfacl T        @@ ls -ld T
T Seven\Henri:(F)                  # file: T           drwxr-xr-x+ 1 Henri None 0 ... T
  Seven\None:(RX)                  # owner: Henri
  Everyone:(RX)                    # group: None
  CREATOR OWNER:(OI)(CI)(IO)(F)    user::rwx
  CREATOR GROUP:(OI)(CI)(IO)(RX)   group::r-x
  Everyone:(OI)(CI)(IO)(RX)        other:r-x
                                   default:user::rwx
                                   default:group::r-x
                                   default:other:r-x

@@ touch T/aap
@@ icacls T/aap                    @@ getfacl T/aap    @@ ls -l T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)  # file: T/aap       -rw-r--r-- 1 Henri None 0 ... T/aap
      Seven\None:(R)               # owner: Henri
      Everyone:(R)                 # group: None
                                   user::rw-
                                   group::r--
                                   other:r--

@@ chmod 755 T/aap
@@ icacls T/aap                    @@ getfacl T/aap    @@ ls -l T/aap
T/aap Seven\Henri:(M,WDAC,WO)      # file: T/aap       -rwxr-xr-x 1 Henri None 0 ... T/aap
      Seven\None:(RX)              # owner: Henri
      Everyone:(RX)                # group: None
                                   user::rwx
                                   group::r-x
                                   other:r-x

This "standard" has served me well ... I did not have to fight with mkdir, chmod, etc ... And the
occasional Windows generated file did not fall "out of tune" too much.

Moreover, after extraction of a .zip file in one of my "Posix" directories, it was fairly easy to
reset the permissions of the extracted files (and directories), using setfacl.

Currently, using this procedure, setfacl fails ...

My investigation into the cause of this failure, eventually led me to simple test cases in which
setfacl fails, but where chmod succeeds.

(more details, if needed, in attached files)

Basically, setfacl removes "write attributes" from the file owner (where chmod does not).

(also: setfacl makes the creator owner loose rights -- in comparison to chmod)

RFC :-)

Henri

----- setfacl/file
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ setfacl -s u::r--,g::r--,o:r-- T/aap
@@ setfacl -s u::rw-,g::r--,o:r-- T/aap
setfacl: Permission denied
@@ chmod 644 T/aap
chmod: changing permissions of ?T/aap?: Permission denied
@@ touch T/aap
touch: cannot touch ?T/aap?: Permission denied
@@ rm T/aap
/bin/rm: remove write-protected regular empty file ?T/aap?? y
@@ ls -l T/aap
ls: cannot access T/aap: No such file or directory
@@

----- chmod/file
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
      Seven\None:(R)
      Everyone:(R)

Successfully processed 1 files; Failed processing 0 files
@@ chmod u-w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here)
      Seven\None:(R)
      Everyone:(R)

Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
      Seven\None:(R)
      Everyone:(R)

Successfully processed 1 files; Failed processing 0 files
@@ touch aap
@@

----- setfacl/directory
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@ chmod 755 T
chmod: changing permissions of ?T?: Permission denied
@@ rmdir T
@@ ls -ld T
ls: cannot access T: No such file or directory

----- chmod/directory
@@ pwd
/drv/e
@@ mkdir T
@@ chmod u-w T
@@ icacls T
T Seven\Henri:(RX,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ... (setfacl fails here)
  Seven\None:(RX)
  Everyone:(RX)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  CREATOR GROUP:(OI)(CI)(IO)(RX)
  Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T
@@ icacls T
T Seven\Henri:(F)
  Seven\None:(RX)
  Everyone:(RX)
  CREATOR OWNER:(OI)(CI)(IO)(F)
  CREATOR GROUP:(OI)(CI)(IO)(RX)
  Everyone:(OI)(CI)(IO)(RX)

Successfully processed 1 files; Failed processing 0 files
@@

=====

Attachment: run-setfacl-sucks-file.txt
Description: Text document

Attachment: run-chmod-rocks-file.txt
Description: Text document

Attachment: run-setfacl-sucks-directory.txt
Description: Text document

Attachment: run-chmod-rocks-directory.txt
Description: Text document

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]