Re: [PATCH setup] Add new option --chown-admin

Wed, 30 Nov 2022 10:50:22 -0800 

Jon Turney wrote:

On 04/10/2022 13:05, Christian Franke wrote:

Jon Turney wrote:



Corinna had some concerns about making the owner a group, rather 
than a user, which I believe historically caused some difficulties 
in Cygwin, so I think I'll need to understand that better before 
making a decision about this change.


I see. Do you have any info about these difficulties?
Are these still relevant? If yes, let's forget this patch.



After a bit of research, I think the issue was that if you make user 
owner and group owner map onto the same Windows SID, certain unix 
access permissions cannot be reversibly mapped onto a Windows ACL.



(e.g you can't set the mode to 0600, because when you read that back, 
it's mode is 0660. Some programs e.g ssh check for and require 0600 
permission on some files)




No and yes.


No, a quick test shows that stat() returns what chmod() sets even in 
this case:


# for p in 600 640 660 644 664; do f=perm-$p &&
    touch $f && chown Administrators.Administrators $f &&
    chmod $p $f && ls -l $f
  done
-rw------- 1 Administrators Administrators 0 Nov 30 18:39 perm-600
-rw-r----- 1 Administrators Administrators 0 Nov 30 18:39 perm-640
-rw-rw---- 1 Administrators Administrators 0 Nov 30 18:39 perm-660
-rw-r--r-- 1 Administrators Administrators 0 Nov 30 18:39 perm-644
-rw-rw-r-- 1 Administrators Administrators 0 Nov 30 18:39 perm-664

The above likely works due to some heuristic based on ACE order.


Yes, the effective permissions of 0600 are always the same as 0660 
because the first ACE is already for the group:


# icacls perm-\*
perm-600 BUILTIN\Administrators:(R,W,D,WDAC,WO)
         BUILTIN\Administrators:(Rc,S,RA)
         Everyone:(Rc,S,RA)

perm-640 BUILTIN\Administrators:(R,W,D,WDAC,WO)
         BUILTIN\Administrators:(R)
         Everyone:(Rc,S,RA)

perm-644 BUILTIN\Administrators:(R,W,D,WDAC,WO)
         BUILTIN\Administrators:(R)
         Everyone:(R)

perm-660 BUILTIN\Administrators:(R,W,D,WDAC,WO)
         BUILTIN\Administrators:(R,W)
         Everyone:(Rc,S,RA)

perm-664 BUILTIN\Administrators:(R,W,D,WDAC,WO)
         BUILTIN\Administrators:(R,W)
         Everyone:(R)

(Tests done on German Windows and localized names renamed afterwards).



This perhaps isn't terribly relevant to files created by setup



It may depend on how access checks are done by ssh etc.. (mode bits or 
effective permissions).































					Reply via email to