Hi Corinna,
Yes, sorry, setfacl again ...
Now, I am NOT an expert on Windows (I do not want to be), and I realize, that I
am in the company
of experts on Windows (on Windows ACL) here, so it is inevitable, that I will
be out of my league
below, and speak "errorneously" about Windows ACL.
Nevertheless, the reason for my post is that setfacl FAILS, where chmod
SUCCEEDS ...
Over the years (XP) my "Posix" trees (Cygwin) looked like this:
@@ uname -a
CYGWIN_NT-6.1-WOW Seven 1.7.35(0.286/5/3) 2015-02-12 20:59 i686 Cygwin
@@ mkdir T
@@ icacls T @@ getfacl T @@ ls -ld T
T Seven\Henri:(F) # file: T drwxr-xr-x+ 1 Henri None
0 ... T
Seven\None:(RX) # owner: Henri
Everyone:(RX) # group: None
CREATOR OWNER:(OI)(CI)(IO)(F) user::rwx
CREATOR GROUP:(OI)(CI)(IO)(RX) group::r-x
Everyone:(OI)(CI)(IO)(RX) other:r-x
default:user::rwx
default:group::r-x
default:other:r-x
@@ touch T/aap
@@ icacls T/aap @@ getfacl T/aap @@ ls -l T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO) # file: T/aap -rw-r--r-- 1 Henri None
0 ... T/aap
Seven\None:(R) # owner: Henri
Everyone:(R) # group: None
user::rw-
group::r--
other:r--
@@ chmod 755 T/aap
@@ icacls T/aap @@ getfacl T/aap @@ ls -l T/aap
T/aap Seven\Henri:(M,WDAC,WO) # file: T/aap -rwxr-xr-x 1 Henri None
0 ... T/aap
Seven\None:(RX) # owner: Henri
Everyone:(RX) # group: None
user::rwx
group::r-x
other:r-x
This "standard" has served me well ... I did not have to fight with mkdir,
chmod, etc ... And the
occasional Windows generated file did not fall "out of tune" too much.
Moreover, after extraction of a .zip file in one of my "Posix" directories, it
was fairly easy to
reset the permissions of the extracted files (and directories), using setfacl.
Currently, using this procedure, setfacl fails ...
My investigation into the cause of this failure, eventually led me to simple
test cases in which
setfacl fails, but where chmod succeeds.
(more details, if needed, in attached files)
Basically, setfacl removes "write attributes" from the file owner (where chmod
does not).
(also: setfacl makes the creator owner loose rights -- in comparison to chmod)
RFC :-)
Henri
----- setfacl/file
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ setfacl -s u::r--,g::r--,o:r-- T/aap
@@ setfacl -s u::rw-,g::r--,o:r-- T/aap
setfacl: Permission denied
@@ chmod 644 T/aap
chmod: changing permissions of T/aap: Permission denied
@@ touch T/aap
touch: cannot touch T/aap: Permission denied
@@ rm T/aap
/bin/rm: remove write-protected regular empty file T/aap? y
@@ ls -l T/aap
ls: cannot access T/aap: No such file or directory
@@
----- chmod/file
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u-w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead
... (setfacl fails here)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ touch aap
@@
----- setfacl/directory
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@ chmod 755 T
chmod: changing permissions of T: Permission denied
@@ rmdir T
@@ ls -ld T
ls: cannot access T: No such file or directory
----- chmod/directory
@@ pwd
/drv/e
@@ mkdir T
@@ chmod u-w T
@@ icacls T
T Seven\Henri:(RX,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ...
(setfacl fails here)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T
@@ icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@
=====setfacl sucks ...
List of commands:
- mkdir T
- touch T/aap
- setfacl -s u::r--,g::r--,o:r-- T/aap ## inadvertently removes "write
attributes" from the file owner
- setfacl -s u::rw-,g::r--,o:r-- T/aap # denied
- chmod 644 T/aap # denied ... Euh? Why, why, why ?????
- touch T/aap # denied
- rm T/aap
- ls -l T/aap
Summary: setfacl fails to reinstate 'write access' to file (in contrast to
chmod)
Diagnostics: -- request for comments (RFC)
- setfacl should NOT remove "write attributes" from the FILE OWNER (chmod does
not)
- chmod u-w <file> ONLY
- removes create file/write data
- removes create folders/append data
- removes write extended attributes from the FILE OWNER
Also applies to setfacl -b
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ setfacl -s u::r--,g::r--,o:r-- T/aap
@@ setfacl -s u::rw-,g::r--,o:r-- T/aap
setfacl: Permission denied
@@ chmod 644 T/aap
chmod: changing permissions of âT/aapâ: Permission denied
@@ touch T/aap
touch: cannot touch âT/aapâ: Permission denied
@@ rm T/aap
/bin/rm: remove write-protected regular empty file âT/aapâ? y
@@ ls -l T/aap
ls: cannot access T/aap: No such file or directory
@@
-----
@@# pwd # bash ELEVATED
/drv/e
@@# mkdir T
@@# touch T/aap
@@# setfacl -s u::r--,g::r--,o:r-- T/aap
@@# icacls T/aap
T/aap Seven\Henri:(R,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@# setfacl -s u::rw-,g::r--,o:r-- T/aap
@@# icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@#
----- same sequence of commands, using icacls to diagnose
@@ pwd
/drv/e
@@ icacls .
. Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
Everyone:(OI)(CI)(IO)(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ mkdir T
@@ icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ touch T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ setfacl -s u::r--,g::r--,o:r-- T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,D,WDAC,WO) # <==== Note: lost W, but failed to get WA in
stead (chmod does!)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ setfacl -s u::rw-,g::r--,o:r-- T/aap
setfacl: Permission denied
@@ chmod 644 T/aap
chmod: changing permissions of âT/aapâ: Permission denied
@@ touch T/aap
touch: cannot touch âT/aapâ: Permission denied
@@ icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ rm T/aap
/bin/rm: remove write-protected regular empty file âT/aapâ? y
@@ ls -l T/aap
ls: cannot access T/aap: No such file or directory
@@
----- same sequence of commands, but now using Helge Klein's SetACL to diagnose
- https://helgeklein.com/setacl
@@ pwd
/drv/e
@@ hk-getfacl.sh .
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://.
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
Everyone read_execute allow
container_inherit+object_inherit+inherit_only
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow
container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@ mkdir T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow
container_inherit+object_inherit+inherit_only
Everyone read_execute allow
container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@ touch T/aap
@@ hk-getfacl.sh T/aap
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T/aap
DACL(protected):
Seven\Henri write+read+WRITE_OWNER+WRITE_DAC+DELETE allow
no_inheritance
Seven\None read allow no_inheritance
Everyone read allow no_inheritance
SetACL finished successfully.
@@ setfacl -s u::r--,g::r--,o:r-- T/aap
@@ hk-getfacl.sh T/aap
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T/aap
DACL(protected):
Seven\Henri read+WRITE_OWNER+WRITE_DAC+DELETE allow no_inheritance
Seven\None read allow no_inheritance
Everyone read allow no_inheritance
Note: Seven\Henri: lost write, but failed to get FILE_WRITE_ATTRIBUTES in stead
(chmod does!)
SetACL finished successfully.
@@ setfacl -s u::rw-,g::r--,o:r-- T/aap
setfacl: Permission denied
@@ chmod 644 T/aap
chmod: changing permissions of âT/aapâ: Permission denied
@@ touch T/aap
touch: cannot touch âT/aapâ: Permission denied
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow
container_inherit+object_inherit+inherit_only
Everyone read_execute allow
container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@ rm T/aap
/bin/rm: remove write-protected regular empty file âT/aapâ? y
@@ ls -l T/aap
ls: cannot access T/aap: No such file or directory
@@
=====chmod rocks!
List of commands:
- mkdir T
- touch T/aap
- chmod u-w T/aap
- chmod u+w T/aap
- touch T/aap
Summary: chmod is able to remove 'write access', and reinstate it subsequently
in contrast to setfacl
@@ pwd
/drv/e
@@ mkdir T
@@ touch T/aap
@@ chmod u-w T/aap
@@ chmod u+w T/aap
@@ touch T/aap
----- same sequence of commands
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ touch T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u-w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead
... (setfacl fails here)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T/aap
@@ icacls T/aap
T/aap Seven\Henri:(R,W,D,WDAC,WO)
Seven\None:(R)
Everyone:(R)
Successfully processed 1 files; Failed processing 0 files
@@ touch aap
@@
----- same sequence of commands, but now using Helge Klein's SetACL to diagnose
- https://helgeklein.com/setacl
@@ pwd
/drv/e
@@ mkdir T
@@ touch T/aap
@@ hk-getfacl.sh T/aap
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T/aap
DACL(protected):
Seven\Henri write+read+WRITE_OWNER+WRITE_DAC+DELETE allow
no_inheritance
Seven\None read allow no_inheritance
Everyone read allow no_inheritance
SetACL finished successfully.
@@ chmod u-w T/aap
@@ hk-getfacl.sh T/aap
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T/aap
DACL(protected):
Seven\Henri read+FILE_WRITE_ATTRIBUTES+WRITE_OWNER+WRITE_DAC+DELETE
allow no_inheritance
Seven\None read allow no_inheritance
Everyone read allow no_inheritance
Note: Seven\Henri: lost write, but got FILE_WRITE_ATTRIBUTES in stead ...
(setfacl fails here)
SetACL finished successfully.
@@ chmod u+w T/aap
@@ hk-getfacl.sh T/aap
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T/aap
DACL(protected):
Seven\Henri write+read+WRITE_OWNER+WRITE_DAC+DELETE allow
no_inheritance
Seven\None read allow no_inheritance
Everyone read allow no_inheritance
SetACL finished successfully.
@@ touch T/aap
@@
=====setfacl sucks ...
List of commands:
- mkdir T
- setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T ##
inadvertently removes "write attributes" from the file owner
- setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T # denied
- chmod 755 T # denied ...
Euh? What?
- rmdir T
- ls -ld T
Summary: setfacl fails to reinstate 'write access' to directory (in contrast to
chmod)
Diagnostics: -- request for comments (RFC)
- setfacl should NOT remove "write attributes" from the FILE OWNER (chmod does
not)
- chmod u-w <directory> ONLY
- removes create files/ create folders
- removes write data/ append data
- removes write extended attributes
- removes delete subfolders and files from the FILE OWNER
- setfacl should ALSO NOT remove delete, change permissions take ownership
from the CREATOR OWNER (chmod does not)
Also applies to setfacl -b (and setfacl -k for the file owner)
@@ pwd # bash NOT elevated
/drv/e
@@ mkdir T
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@ chmod 755 T
chmod: changing permissions of âTâ: Permission denied
@@ rmdir T
@@ ls -ld T
ls: cannot access T: No such file or directory
-----
@@# pwd # bash elevated
/drv/e
@@# mkdir T
@@# icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@# setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@# setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@# icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(RX,W,DC) # <=====
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@#
----- same sequence of commands, using icacls to diagnose
@@ pwd
/drv/e
@@ icacls .
. Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
Everyone:(OI)(CI)(IO)(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ mkdir T
@@ icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ icacls T
T Seven\Henri:(RX,D,WDAC,WO) # <==== Note: lost W, but failed to get WA in
stead (chmod does!)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(RX,W,DC)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@
----- same sequence of commands, but now using Helge Klein's SetACL to diagnose
- https://helgeklein.com/setacl
@@ pwd
/drv/e
@@ hk-getfacl.sh .
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://.
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
Everyone read_execute allow
container_inherit+object_inherit+inherit_only
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow
container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@ mkdir T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow
container_inherit+object_inherit+inherit_only
Everyone read_execute allow
container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@ setfacl -s u::r-x,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri read_execute+WRITE_OWNER+WRITE_DAC+DELETE allow
no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER read_execute+write+FILE_DELETE_CHILD allow
container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow
container_inherit+object_inherit+inherit_only
Everyone read_execute allow
container_inherit+object_inherit+inherit_only
Note: Seven\Henri: lost write, but failed to get FILE_WRITE_ATTRIBUTES in stead
(chmod does!)
SetACL finished successfully.
@@ setfacl -s u::rwx,g::r-x,o:r-x,d:u::rwx,d:g::r-x,d:o:r-x T
setfacl: Permission denied
@@
=====chmod rocks!
List of commands:
- mkdir T
- chmod u-w T
- chmod u+w T
- touch T/aap
Summary: chmod is able to remove 'write access', and reinstate it subsequently
in contrast to setfacl
@@ pwd
/drv/e
@@ mkdir T
@@ chmod u-w T
@@ chmod u+w T
@@ touch T/aap
----- same sequence of commands
@@ pwd
/drv/e
@@ mkdir T
@@ chmod u-w T
@@ icacls T
T Seven\Henri:(RX,D,WDAC,WO,WA) # <==== Note: lost W, but got WA in stead ...
(setfacl fails here)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@ chmod u+w T
@@ icacls T
T Seven\Henri:(F)
Seven\None:(RX)
Everyone:(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
Everyone:(OI)(CI)(IO)(RX)
Successfully processed 1 files; Failed processing 0 files
@@
----- same sequence of commands, but now using Helge Klein's SetACL to diagnose
- https://helgeklein.com/setacl
@@ pwd
/drv/e
@@ mkdir T
@@ chmod u-w T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri
read_execute+FILE_WRITE_ATTRIBUTES+WRITE_OWNER+WRITE_DAC+DELETE allow
no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow
container_inherit+object_inherit+inherit_only
Everyone read_execute allow
container_inherit+object_inherit+inherit_only
Note: Seven\Henri: lost write, but got FILE_WRITE_ATTRIBUTES in stead ...
(setfacl fails here)
SetACL finished successfully.
@@ chmod u+w T
@@ hk-getfacl.sh T
Privilege 'Back up files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Restore files and directories' could not be enabled. SetACL's powers
are restricted. Better run SetACL with admin rights.
Privilege 'Take ownership of files or other objects' could not be enabled.
SetACL's powers are restricted. Better run SetACL with admin rights.
E://T
DACL(protected):
Seven\Henri full allow no_inheritance
Seven\None read_execute allow no_inheritance
Everyone read_execute allow no_inheritance
CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
CREATOR GROUP read_execute allow
container_inherit+object_inherit+inherit_only
Everyone read_execute allow
container_inherit+object_inherit+inherit_only
SetACL finished successfully.
@@
=====
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
