On 8/23/2018 1:11 AM, Corinna Vinschen wrote:
...
No, that's a wrong assumption. Think about it. The ACL given to
acl_to_text is the binary form, so it doesn't contain user or group
names, only uids and gids. The usernames are only generated in the
output.
---
Rats. Of course, you're right.
Then I nominate the problem being that it can't convert
from domain "Unknown"-user + "Unknown"-group to something it can
store in tar. I'll try to elaborate.
lsacl is an output massager that mainly compacts output of
getfacl into a 1 line form as used by the linux chacl format
for environments where chacl was missing (like cygwin and some linux
machines). It's a fairly trivial script (attached), feel free
to do whatever w/it.
As far as duplication, I have /etc/passwd+/etc/group files that
mirror my accounts on the linux-based PDC (samba 3.x).
so when lsacl puts out:
lsacl miner.js
[u::rwx,g::rwx,o:r-x,u:Unknown+User:rwx,g:Unknown+Group:rwx,g:Administrators:rwx,g:Bliss\Domain
Admins:rwx,m:rwx/] miner.js
then getfacl puts out:
getfacl miner.js
# file: miner.js
# owner: Bliss\law
# group: Bliss\Domain Admins
user::rwx
group::rwx
other:r-x
user:Unknown+User:rwx
group:Unknown+Group:rwx
group:Administrators:rwx
group:Bliss\Domain Admins:rwx
mask:rwx
or numerically:
getfacl -n miner.js
# file: miner.js
# owner: 5013
# group: 512
user::rwx
group::rwx
other:r-x
user:4294967295:rwx
group:4294967295:rwx
group:544:rwx
group:512:rwx
mask:rwx
In this case, that user+group appear to correspond
to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005).
The domain/system part appears to be from some previous
value for the machine's "sid"? Not sure how to deliberately
reproduce that, but maybe you have a tool to create an
invalid acl entry for a user like:
Unknown+User:*:4294967295:4294967295:S-1-5-21-3457732827-2369206082-2151550420-1001
in /etc/passwd.
and something similar in /etc/group?
I can fairly easily work around it by just deleting the
invalid user/group from the GUI.
The icacls output on the file with some added line breaks
(from D:PAI to S:P was all 1 line).
miner.js
D:PAI(A;;0x1f01bf;;;S-1-5-21-33-77-33-5013)(A;;0x1201bf;;;DA)
(A;;0x1200a9;;;WD)(A;;0x1201ff;;;S-1-5-21-33-77-33-5013)
(A;;0x1201ff;;;SY)(A;;0x1201ff;;;BA)(A;;0x1200a9;;;WD)
(A;;FA;;;S-1-5-21-33-77-33-5013)
(A;;0x1201ff;;;S-1-5-21-3457732827-2369206082-2151550420-1001)
(A;;0x1201ff;;;DA)
(A;;0x1201ff;;;S-1-5-21-3457732827-2369206082-2151550420-1005)S:P
I can work around this for the small number of files that were weird, but it seems cygwin
should "more gracefully" handle such things if it can(?).
I wonder if rsync has a similar problem...yup:
rsync -aA miner.js ../testbin/
rsync: set_acl: sys_acl_set_file(miner.js, ACL_TYPE_ACCESS): Invalid argument
(22)
rsync error: some files/attrs were not transferred (see previous errors) (code
23) at main.c(1196) [sender=3.1.2]
#!/bin/bash
## $Id: lsacl,v 1.5 2015-08-02 10:29:25-07 law Exp $
# Version 2 -- try to work with getfacl on cygwin
#
shopt -s expand_aliases
alias int=declare\ -i sub=function string=declare
gfacl=$(type -P getfacl)
if ! type -f cygwin 2>/dev/null ; then
_un_=$(type -P uname)
if [[ $_un_ ]] ; then _os_=$($_un_ -o);
elif [[ -e /proc/sys/kernel ]]; then _os_=Linux;
else _os_=Cygwin;
fi
if [[ $_os_ =~ Cygwin ]]; then function cygwin () { return
0; }
else function cygwin () { return 1; }
fi
unset _un_ _os_
export -f cygwin
fi
if cygwin 2>/dev/null ;then
[[ $gfacl ]] || { printf "FATAL: Cannot find getfacl in path\n"; exit
1; }
sub gfacl () { "$gfacl" "$@"; }
else
## linux version has broken semantics requiring "-p"
sub gfacl () { "$gfacl" -p "$@" ; }
fi
export -f gfacl
sub facl2str {
string fn=${1:?"Need pathname"}
string s1='/^\#.*$/d; /^\s*$/d; s/\s*#.*$//;
s/^(.)(ser|roup|ask|ther):/\1:/; y/\n/,/'
string facl=$(gfacl -a "$fn"|sed -r "$s1"|tr "\n" ",")
facl=${facl%,}
string dacl=$(gfacl -d "$fn"|sed -r "s/^default://; $s1"|tr "\n" ",")
dacl=${dacl%,}
printf "[%s/%s]\n" "$facl" "$dacl"
}
int acllen=0 maxfnln=0
#for fn in "$@" ; do if ((maxfnln<${#fn})); then maxfnln=${#fn}; fi ; done
sub acl_str () {
if cygwin ;then
perm=$(facl2str "$fn")
else
qfn=$(printf "%q " "$fn")
out="$(chacl -l "$fn")"
perm="${out#$qfn}"
fi
printf "%s\n" "$perm"
}
for fn in "$@"; do
int max=40
perm=$(acl_str "$fn")
int len=${#perm}
if ((len>_acl_len_)); then acllen=len; fi
if ((acllen>max)); then acllen=max; fi
printf "%-${acllen}s %s\n" "$perm" "$fn"
done
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
