Thanks for the reply. Seems we've maybe miscommunicated a bit tho.
So not meaning to argue, just to try to clarify, let me try again:
None of my concern, none of my examples, were intended to involve any
ACLs other than those created by Cygwin touch, chgrp, chmod, and
setfacl. (setfacl only used as explicitly shown in one
previously-sent example, not used at all in the below.) I'm working
in a Cygwin-mkdir'd directory that I believe has no added nor
inherited grants.
The logged in user is XXX, primary group YYY, distinct SIDs.
icacls .
. zzz\XXX:(F)
zzz\YYY:(Rc,S,RA)
Everyone:(Rc,S,RA)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(Rc,S,RA)
Everyone:(OI)(CI)(IO)(Rc,S,RA)
rm x
touch x
chmod 500 x
ls -al x
-r-x------ 1 XXX YYY 0 Mar 1 11:36 x
chmod o+rwx x
icacls x
x zzz\XXX:(DENY)(S,WD,AD,WEA)
zzz\XXX:(RX,D,WDAC,WO,WA)
zzz\YYY:(DENY)(W,RD,REA,X)
zzz\YYY:(Rc,S,RA)
Everyone:(RX,W)
ls -al x
-r-x---rwx 1 XXX YYY 0 Mar 1 11:36 x
rm x
touch x
chgrp XXX x # group with same SID as user XXX
chmod 500 x
ls -al x
-r-x------ 1 XXX XXX 0 Mar 1 11:37 x
chmod o+rwx x
icacls x
x zzz\XXX:(DENY)(S,WD,AD,WEA)
zzz\XXX:(RX,D,WDAC,WO,WA)
Everyone:(RX,W)
ls -al x
-r-xr-xrwx 1 XXX XXX 0 Mar 1 11:37 x
I think I understand why the DENYs are present to achieve Posix
behavior, and don't have any issues/concerns with that at all. The
ACLs above match my expectations, I've no concern on the ACLs.
I'm only wondering if showing the group mode as r-x in the last case
above is best, vs continuing to show the group as ---, the same as it
appeared before the chmod o+rwx. Either seems reasonably accurate
from p.o.v. of actual security since there can't be group members
other than the user itself so the group can't be carrying any actual
new permission for anyone. But chmod o+<whatever> having a visible
impact on the group bits seems surprising.
Since the ACLs are fine, and the x00 mode cases are now showing group
as --- which is what seems most helpful, this is probably not overly
important for now. I'm just thinking it not likely best, an
unnecessary nuance/surprise. chmod o+<whatever> having similar impact
on an actual Posix-y group mask in future would seem to me likely
actually incorrect tho.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
