Thanks for the reply. Seems we've maybe miscommunicated a bit tho. So not meaning to argue, just to try to clarify, let me try again:
None of my concern, none of my examples, were intended to involve any ACLs other than those created by Cygwin touch, chgrp, chmod, and setfacl. (setfacl only used as explicitly shown in one previously-sent example, not used at all in the below.) I'm working in a Cygwin-mkdir'd directory that I believe has no added nor inherited grants. The logged in user is XXX, primary group YYY, distinct SIDs. icacls . . zzz\XXX:(F) zzz\YYY:(Rc,S,RA) Everyone:(Rc,S,RA) CREATOR OWNER:(OI)(CI)(IO)(F) CREATOR GROUP:(OI)(CI)(IO)(Rc,S,RA) Everyone:(OI)(CI)(IO)(Rc,S,RA) rm x touch x chmod 500 x ls -al x -r-x------ 1 XXX YYY 0 Mar 1 11:36 x chmod o+rwx x icacls x x zzz\XXX:(DENY)(S,WD,AD,WEA) zzz\XXX:(RX,D,WDAC,WO,WA) zzz\YYY:(DENY)(W,RD,REA,X) zzz\YYY:(Rc,S,RA) Everyone:(RX,W) ls -al x -r-x---rwx 1 XXX YYY 0 Mar 1 11:36 x rm x touch x chgrp XXX x # group with same SID as user XXX chmod 500 x ls -al x -r-x------ 1 XXX XXX 0 Mar 1 11:37 x chmod o+rwx x icacls x x zzz\XXX:(DENY)(S,WD,AD,WEA) zzz\XXX:(RX,D,WDAC,WO,WA) Everyone:(RX,W) ls -al x -r-xr-xrwx 1 XXX XXX 0 Mar 1 11:37 x I think I understand why the DENYs are present to achieve Posix behavior, and don't have any issues/concerns with that at all. The ACLs above match my expectations, I've no concern on the ACLs. I'm only wondering if showing the group mode as r-x in the last case above is best, vs continuing to show the group as ---, the same as it appeared before the chmod o+rwx. Either seems reasonably accurate from p.o.v. of actual security since there can't be group members other than the user itself so the group can't be carrying any actual new permission for anyone. But chmod o+<whatever> having a visible impact on the group bits seems surprising. Since the ACLs are fine, and the x00 mode cases are now showing group as --- which is what seems most helpful, this is probably not overly important for now. I'm just thinking it not likely best, an unnecessary nuance/surprise. chmod o+<whatever> having similar impact on an actual Posix-y group mask in future would seem to me likely actually incorrect tho. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple