DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=EIjFVmxxk78w/DNM3iK8lkkQJ9FtSZw6YdZtlQLly90IqvR+mjlk+
	J3rAj83vVx8UeGaPcvIL8ocWp3txi7cM/mcVC5Zn1vEeH6EBmW377zkSPDJptKFf
	3q1v6kr1i49JP2b8/KkIZ9/6Fb2xaVDSX/KT634uYeULAhlnT7fZeE=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Date: Wed, 10 Feb 2016 13:19:32 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Issues with ACL settings after updating to the latest cygwin.dll
Message-ID: <20160210121932.GE15391@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20160208181956 DOT GI12975 AT calimero DOT vinschen DOT de> <embea8f98a-05a5-4804-a575-9eebf7412614 AT gaming> <20160210115506 DOT GB15391 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="lteA1dqeVaWQ9QQl"
Content-Disposition: inline
In-Reply-To: <20160210115506.GB15391@calimero.vinschen.de>
User-Agent: Mutt/1.5.24 (2015-08-30)

--lteA1dqeVaWQ9QQl
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Feb 10 12:55, Corinna Vinschen wrote:
> On Feb  9 20:53, xnor wrote:
> > Here is what I would expect:
> > MyUser is in the group Administrators. Given the inherited permissions =
above
> > a Windows-created file should be shown as "-rwxrwxr--+ MyUser
> > Administrators"?
>=20
> Sorry, can't do that, *unless* you make "Administrators" the primary
> group in your user token(*).  Even though your account is *member* of
> the Administrators group, the group is *never* your primary group per
> Windows.  All local accounts, independently of their group memberships,
> have the group "None" as their primary group.  That's how Windows works,
> and that hasn't changed since at least NT4.
>=20
> Unless, of course, if you use a so-called "Windows account", one of
> those accounts which you login with using your email address (was that
> introduced with Windows 8?  I'm not sure).  In that case, the primary
> group in your user token is set to your user account itself.  So your
> primary group SID is your own user SID.  Duh!
>=20
>=20
> Corinna
>=20
> (*) There *is* a way to do that, but only inside Cygwin, see
>     https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-passwdinfo

Oh, and if it's not clear how this works under the hood, it's like this:

The Windows user token contains a couple of SID entries:

- The "user" SID
- The "owner" SID       (user and owner are not necessarily the same,
                         but, never mind)
- The primary group SID (which, it has to be said, is meaningless
                         in the Windows context and only kept for
                         POSIX compatibility)
- A list of group SIDs the user is member in.

For a local account, the primary group SID is set to "None", the local
group with RID 513.  For domain accounts this is typically the group
"Domain Users", the domain account with RID 513 (hmm...)

However, every process is allowed to switch the primary group entry of
its user token to *any* group mentioned in the group list, *or* even to
its user or owner SID.  If you use the aforementioned method to change
the primary group, what happens is that the first Cygwin process in a
process chain changes the primary group in its user token.  If the new
group is in the token's group list, this will work.

Child processes inherit the user token from their parent process, so
there's no reason to change the primary group again in a process tree.
Since that's a Windows property, this also works for non-Cygwin child
processes.

With the Administrators group there's a complication.  If you're running
a normal shell, it's running under UAC control.  UAC restricts the user
token of an admin user so that the admins group in the token group list
is "crippled":  The admins SID is still in the list, but with a flag
"DENY ONLY".  You're kind of not in the Administrators group anymore.
Only if an access check is performed, and the Admins group is denied
access to some object, this membership kicks in and denies the access.


HTH,
Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--lteA1dqeVaWQ9QQl
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWuyrUAAoJEPU2Bp2uRE+g/7wP/08n5xYTi/LhJPWvPENHJItY
kamAuV88Ox4ty9TbgEMeK5li3d4LavIoQHoiTuuB552+qNkpGyzrKQw1LwRf6kBb
Mt/tW5yON6Oz2/hHW3aHeRNBs9HWyWbPvfBI/8UqAn8K+e+9guLqhmwgYBU+d5o5
pPrkTZhwbR+W7wdeYiO9cF8ruR9lcN4oO/1RijIrwlp+LwMkj+vTNOItIEjnHE7w
vvLAPhhJI5GDB16JcP4kQOltfx38cVrL++fGkI6vD2Grq6swEeask5C0gg2dUS6R
ZlDTGWXxKGiWvfN/e8XSxBDNw0xXy9dw2Wkz4CSV3Tb12ysJZk3+GdOIMcEbX3eL
SaZRnsRuT9A5qhULMtPviRyIj9ZJ6aKW4tit9nM11z0aCF3oWskf2blP3q0x91EO
RGZ1r3TqPV9nbCBkMou7OLO+OQFvpJSVM9V5EzVhbvX2TzwnPSjNtVKnEkhiUrU3
sNbdLspKywLtteMYBGp7LL3nBhnMopuoJ/eY+TTdK62lJDc/Ku0HwVGBP9XzfH6z
EV9WMMDSTT+ypdLFSVvvafZH1pgJmMqwm89IluKtPOP7pijbcdgKYxF16orUnK6Q
XqVMeEZJ1R+jkillXo3gG3AhQuFZ6EQ6d/BR+39HQrcxYkC44/8XCp2JKPnh3Evg
HbX9w8xH/apnYq6t7/vr
=p8kU
-----END PGP SIGNATURE-----

--lteA1dqeVaWQ9QQl--