On Feb 26 23:29, Corinna Vinschen wrote: > Having discussed this, I can understand that it may be desirable to > skip the permissions of the SYSTEM account in these circumstances: > > - Computing the POSIX ACL mask and default mask value and thus in > the permission mask as printed by `ls -l'.
Trying to be more exact: - Right now, the POSIX ACL mask value includes the permissions of the SYSTEM account, if it's in the ACL. The function collecting the ACL entries can easily skip adding the permissions of SYSTEM to the mask value. Thus, the mask value only reflects the permissions of all other users and groups, and so ls -l will not show rwx group perms only because SYSTEM has rwx perms. Example: Today: $ getfacl .ssh/authorized_keys # file: authorized_keys # owner: corinna # group: vinschen user::rw- group::--- group:SYSTEM:rwx mask:rwx <= !!!!! other:--- [~/.ssh](64)$ ls -l authorized_keys -rw-rwx---+ 1 corinna vinschen 1025 Jun 15 2014 authorized_keys ^^^ !!! With the proposed change: # file: authorized_keys # owner: corinna # group: vinschen user::rw- group::--- group:SYSTEM:rwx mask:--- <= !!!!! other:--- [~/.ssh](64)$ ls -l authorized_keys -rw-------+ 1 corinna vinschen 1025 Jun 15 2014 authorized_keys ^^^ !!! > - Changing SYSTEM permissions when calling chmod, unless SYSTEM is the > file's owning group. A chmod can easily skip the SYSTEM ACE when applying the group perms to all secondary users and groups in the ACL. So a SYSTEM rwx stays rwx. Unless, of course, SYSTEM is the owning group of the file. Example: Today: $ chmod 600 .ssh/authorized_keys $ getfacl .ssh/authorized_keys # file: authorized_keys # owner: corinna # group: vinschen user::rw- group::--- group:SYSTEM:--- <= !!!!! mask:--- other:--- With the proposed change: $ chmod 600 .ssh/authorized_keys $ getfacl .ssh/authorized_keys # file: authorized_keys # owner: corinna # group: vinschen user::rw- group::--- group:SYSTEM:rwx <= !!!!! mask:--- other:--- > Changing this in the code is pretty straightforward. but I'm not willing > to add another mount option for this behaviour. Either Cygwin ignores > SYSTEM in the aforementioned circumstances or it doesn't. > > Crucial vote starting... now. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgpAxborF8QDT.pgp
Description: PGP signature