On Feb 27 13:19, Corinna Vinschen wrote: > On Feb 27 09:57, Achim Gratz wrote: > > Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes: > > > Good point. Right now the group permissions are == owner permissions in > > > the case the owner and group are the same. Maybe it would be better to > > > remove all group permission bits if owner SID == group SID instead. > > > > I think that would be defendable since it is purely based on how Windows and > > POSIX treat groups and users in different ways and not an artificial > > exception that Cygwin makes on top of that. > > Come to think of it, this would also drop the requirement to enforce > primary group "Users" for the so-called "Microsoft Accounts", which have > their own SID as group SID in the user token by default. > > Hmm, I'm really warming up to this change...
Done. I uploaded a snapshot and I'm contemplating to create a test release for this change. Warren, you're the unlucky guy of the day. From our discussions in the last days I know you're using a Microsoft account. Can you please give the latest snapshot from https://cygwin.com/snapshots/ a try? When using it, you should now see your account also as group. Creating files should result in having user and group being the same, and if you chmod the file, the group permissions should not reflect the user permissions anymore: $ chmod 600 xxx $ ls -l xxx -rw------- 1 corinna corinna 0 Feb 27 10:40 xxx $ chmod 660 xxx $ ls -l xxx -rw------- 1 corinna corinna 0 Feb 27 10:40 xxx Trip hazard 1: $ chmod 250 xxx $ ls -l xxx -rwx------ 1 corinna corinna 0 Feb 27 10:40 xxx The new permissions for your account are the sum of permissions you gave yourself as user and group: user 2 == -w- group 5 == r-x ==> combined 7 == rwx Trip hazard 2: $ chmod 644 xxx $ ls -l xxx -rw-r--r-- 1 corinna corinna 0 Feb 27 10:40 xxx Funny, isn't it? The group permissions are different from the user permissions even though both are the same account. These are the "Everyone" permissions which penetrate into the group permissions due to the way the Windows ACL is evaluated: $ icacls xxx xxx VINSCHEN\corinna:(R,W,D,WDAC,WO) Everyone:(R) I didn't change that because it doesn't hurt. The case has altered (sorry the pun) if "other" has permissions the owner doesn't have: $ chmod 601 xxx $ ls -l xxx -rw------x 1 corinna corinna 0 Feb 27 10:40 xxx $ icacls xxx xxx VINSCHEN\corinna:(DENY)(S,X) VINSCHEN\corinna:(R,W,D,WDAC,WO) Everyone:(Rc,S,X,RA) I think that's really a good change. It should help in security conscious scenarios a lot. It *may* break other scenarios, but that should be rather unlikely or easy to fix. Thanks for the idea "random user". A name would be nice, though... Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgpB_yqszc2GX.pgp
Description: PGP signature