This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: acl_access denies access owned by 'Everyone' group


egor duda wrote:
> 
> Hi!
> 
>   Disclaimer: I have checked this only with cvs version, but
> downloading the latest release now to verify things with it.
> 
> I have a file:
> 
> $ ls -la /usr/lib/gcc-lib/i686-pc-cygwin/3.2/specs
> $ -rw-r-----   1 duda_adm Everyone     7163 Aug 17 22:41 /usr/lib/gcc-lib/i686-pc-cygwin/3.2/specs
> $ getfacl /usr/lib/gcc-lib/i686-pc-cygwin/3.2/specs
> # file: /usr/lib/gcc-lib/i686-pc-cygwin/3.2/specs
> # owner: 1291
> # group: 0
> user::rw-
> group::r--
> mask::r--
> other::---
> $ grep Everyone /etc/group
> Everyone:S-1-1-0:0:duda,duda_admin
> 
> It's owned by different user (i'm currently logged on as 'duda'), but
> 'r' right to Everyone group which i belong to should give me the right
> to access the file.
> 
> running gcc, though, shows this in strace
> 
>    74  213690 [main] gcc 327 path_conv::check: root_dir(e:\), this->path(e:\unix\usr\lib\gcc-lib\i686-pc-cygwin\3.2\specs), set_has_acls(8)
>    75  213765 [main] gcc 327 read_sd: file = e:\unix\usr\lib\gcc-lib\i686-pc-cygwin\3.2\specs
>   145  213910 [main] gcc 327 read_sd: file = e:\unix\usr\lib\gcc-lib\i686-pc-cygwin\3.2\specs: len=0
>   147  214057 [main] gcc 327 getacl: 4 = getacl (e:\unix\usr\lib\gcc-lib\i686-pc-cygwin\3.2\specs)
>   383  214440 [main] gcc 327 __set_errno: int acl_access(const char*, int):458 val 13
> 
> and gcc ignores this file and tries to look for specs further.
> 
> Is it an error in my setup or something wrong with recent ntsec
> changes, which, i saw, affected handling of Everyone group?
> 
> If time allows, i'll certainly try to debug this further.
> 
> egor.            mailto:deo@logos-m.ru icq 5165414 fidonet 2:5020/496.19

I believe it's caused by recent ntsec changes that do no include the Everyone
group in the list of groups you belong to (everybody is automatically in the
Everyone group, it's not a matter of choice). Parenthentically, the entry
in /etc/group is not taken into account by Cygwin (except when you setuid to
duda). Cygwin relies on the groups that Windows puts in your access token when
you log in.

But I also believe your setup is non-sensical. It makes no sense to have a
file in the Everyone group. Everyone is already used in the file ACL to
record access rights for "other". If the group is Everyone, there is no
way to distinguish between "group" rights and "other" rights. Note that 
as a side effect "other" is shown as having no access to the file. 
See my recent e-mail in the cygwin-patches list.

Because of the impossibility to distinguish between "group" and "other" access
in such a case, there is no way to handle the situation "correctly". 
To err in the direction of non rejecting access in typical cases, the lines 
(around 320 in sec_acl.cc)
 else if (ace_sid == group_sid)
 <snip>
 else if (ace_sid == well_known_world_sid)
could be interchanged.

Pierre


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]