ACL inheritance problem

Larry Hall (Cygwin Developers) lhall@cygwin.com
Sun Nov 1 02:26:00 GMT 2009 

On 10/30/2009 03:59 PM, Corinna Vinschen wrote:
> On Oct 30 14:35, Corinna Vinschen wrote:
>> 1. Revert the change I'm talking about in
>>     http://cygwin.com/ml/cygwin/2009-10/msg00598.html and forget
>>     ACL inheritance for now.
>>
>>     Drawbacks:
>>     - Incorrect.
>>     - No ACL inheritance.
>>     - Doesn't help for native Win32 apps which will continue to create
>>       files with a DACL containing SYSTEM and the Logon session SID.
>>
>> 2. After the file has been created, the set_file_attribute function is
>>     called anyway to set the POSIX permissions.  The DACL is fetched from
>>     the file and used for certain tests.  An additional test would be to
>>     check if the DACL contains ACEs which are not inherited from the
>>     parent, and are not one of the user SID, the group SID, or the
>>     everyone SID.  Such an ACE must have been part of the default DACL
>>     and can simply not written back to the file's DACL.
>>
>>     Drawbacks:
>>     - Must use GetSecurityInfo instead of NtQuerySecurityObject, otherwise
>>       inheritance info is missing.
>>     - Doesn't help for native Win32 apps which will continue to create
>>       files with a DACL containing SYSTEM and the Logon session SID.
>>
>> 3. Change the default DACL for the Cygwin process temporarily to NULL
>>     every time we call NtCreateFile to avoid extraneous ACL entries.
>>
>>     Drawbacks:
>>     - The cost of calling SetTokenInformation twice per file creation.
>>     - Doesn't help for native Win32 apps which will continue to create
>>       files with a DACL containing SYSTEM and the Logon session SID.
>>
>> 4. Re-enable (I disabled this code back in February) the code which
>>     always creates directories with inherit-only CREATOR OWNER and
>>     CREATOR GROUP entries.  That means, if I create a file in such a
>>     directory, it will create default owner/group entries since the
>>     parent directory has inheritable permissions.  The default DACL is no
>>     problem anymore.  Native Win32 processes will create files using the
>>     same inherited permissions.
>>
>>     Drawbacks:
>>     - As in 1.5 times, directories are always created with extra ACEs,
>>       so every directory has a '+' in the `ls -l' output.
>>     - This only helps for newly created directories.  Creating files
>>       in existing directories will continue to suffer from the described
>>       problem.
>>     - setup-1.7.exe would have to be changed as well, since right now
>>       it creates plain, non-inheritable POSIX permissions for directories.
>>
>> I'm a bit at a loss to decide what's the best solution.  I'm leaning to
>> solution 2 because it's the least extra processing.  OTOH, it's probably
>> not really nice to shrug away native Win32 processes, so maybe
>> additionally re-enabling the Cygwin part of solution 4 would produce
>> less trouble in the long run.
>
> I've applied a patch to implement #2 above.  I'd still be interested
> if anybody thinks it's a good idea to re-enable the #4 code and, maybe,
> to tweak setup to generated inheritable CREATOR OWNER and CREATOR GROUP
> entries to be more friendly to Win32 applications.  Not even Interix is
> doing that, but they can excuse themselves by being their own POSIX
> subsystem rather than running in the Win32 subsystem.

I still like the idea of #4, if we're voting. :-)

-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

More information about the Cygwin-developers mailing list