I have been using Cygwin for a long, long time.  That said, I would have to admit there is a good deal about the architecture and infrastructure I have never really investigated which is a huge compliment to those of you who maintain this wonderful framework. It mostly just works reliably and I've seldom needed to look beneath the covers.

I am now, however, having major difficulties which are attributable to two fundamental changes in my environment, so let me first state what that is.  I have my private, in-home network configured to share multiple workstations and laptops via Ethernet or Wifi using SMB/CIFS [Windows Features setting] and access control based on the facts that a.) I have the same account name and b.) same password on all devices _and_ 3.) I am the administrator of each of them.

For some three decades of different versions of Windows and Cygwin this has allowed me to operate from any particular workstation with access to almost every storage device on the network no matter to which specific processor those devices were attached.  Whether the file permissions covering the ability to create or delete a file, read or write a file, was coming from a cygwin program or some windows application, even when there were some fat partitions and some ntfs partitions, it was nearly seamless.

So what has changed?  First, I unfortunately lost a motherboard last fall and struggling to recover, I had no real choice but to purchase a newer motherboard with a newer processor and the newer motherboard no longer supported booting from two Windows 7 instances that had coexisted with the primary Windows 10 instance on that hardware.. Next, I had to build another new system in order to begin to migrated to Windows 11.  So, as we speak my shared drives are all on hosts running Windows 10 and 11.  And Cygwin  -- a 32 bit version, a 64-bit version from about the beginning of the pandemic, and the most current 64-bit version  is installed -- is installed on some of them.

Now with all that context, for which I apologize, but I think it will be essential to understanding and remedying my current inability to seamlessly create, modify and delete files.  So, let's move to what little I know of how I am supposed to manage that integration of a POSIX and a Windows way of managing permissions. Number 1, I have never touched etc/fstab -- everything has always had the well-behaved result from the single-line default setting in that file.  Number 2, despite my attempt to better acquaint myself with these matters, I have now become accustomed to using the icacls command both to view the state of the ACEs assigned to any given file and to modify them by the use use of the /reset command-line argument which always produces the state shown here as a result of my just creating a folder in which to test:

cygshoot NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(F)
         NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
         BUILTIN\Administrators:(I)(OI)(CI)(F)
         BUILTIN\Users:(I)(OI)(CI)(RX)

I then create a trivial text file via vim;

vimtest.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
            NW10\tcorbet:(R,W,D,WDAC,WO)
            NW10\None:(DENY)(S,X)
            NT AUTHORITY\Authenticated Users:(DENY)(S,X)
            NT AUTHORITY\SYSTEM:(DENY)(S,X)
            BUILTIN\Administrators:(DENY)(S,X)
            BUILTIN\Users:(DENY)(S,X)
            NW10\None:(RX)
            NT AUTHORITY\Authenticated Users:(RX,W)
            NT AUTHORITY\SYSTEM:(RX,W)
            BUILTIN\Administrators:(RX,W)
            BUILTIN\Users:(RX)
            Everyone:(R)

Then I do the same thing using notepad:

FileExp.txt NT AUTHORITY\Authenticated Users:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Administrators:(I)(F)
            BUILTIN\Users:(I)(RX)

vimtest.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
            NW10\tcorbet:(R,W,D,WDAC,WO)
            NW10\None:(DENY)(S,X)
            NT AUTHORITY\Authenticated Users:(DENY)(S,X)
            NT AUTHORITY\SYSTEM:(DENY)(S,X)
            BUILTIN\Administrators:(DENY)(S,X)
            BUILTIN\Users:(DENY)(S,X)
            NW10\None:(RX)
            NT AUTHORITY\Authenticated Users:(RX,W)
            NT AUTHORITY\SYSTEM:(RX,W)
            BUILTIN\Administrators:(RX,W)
            BUILTIN\Users:(RX)
            Everyone:(R)

Moving now to a remote workstation, this is what icacls reports:

FileExp.txt NT AUTHORITY\Authenticated Users:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Administrators:(I)(F)
            BUILTIN\Users:(I)(RX)

vimtest.txt NULL SID:(DENY)(Rc,WEA,X,DC)
S-1-5-21-3338163194-2450085813-3368937723-1001:(R,W,D,WDAC,WO)
S-1-5-21-3338163194-2450085813-3368937723-513:(DENY)(X)
            NT AUTHORITY\Authenticated Users:(DENY)(X)
            NT AUTHORITY\SYSTEM:(DENY)(X)
            BUILTIN\Administrators:(DENY)(X)
            BUILTIN\Users:(DENY)(X)
            S-1-5-21-3338163194-2450085813-3368937723-513:(RX)
            NT AUTHORITY\Authenticated Users:(RX,W)
            NT AUTHORITY\SYSTEM:(RX,W)
            BUILTIN\Administrators:(RX,W)
            BUILTIN\Users:(RX)

And here is the status that icacls reports back on the original, owning workstation
after having use vim to modify the two files from that remote workstation.

FileExp.txt NULL SID:(DENY)(Rc,S,REA,WEA,X,DC)
            NW10\tcorbet:(DENY)(S,RD,WD,AD,REA,WEA,X,DC)
            NW10\tcorbet:(D,Rc,WDAC,WO,RA,WA)
            NW10\None:(Rc,S,RA)
            NT AUTHORITY\Authenticated Users:(RX,W)
            NT AUTHORITY\SYSTEM:(RX,W)
            BUILTIN\Administrators:(RX,W)
            BUILTIN\Users:(RX)
            Everyone:(Rc,S,RA)

vimtest.txt NULL SID:(DENY)(Rc,S,WEA,X,DC)
            NW10\tcorbet:(R,W,D,WDAC,WO)
            NW10\None:(DENY)(S,X)
            NT AUTHORITY\Authenticated Users:(DENY)(S,X)
            NT AUTHORITY\SYSTEM:(DENY)(S,X)
            BUILTIN\Administrators:(DENY)(S,X)
            BUILTIN\Users:(DENY)(S,X)
            NW10\None:(RX)
            NT AUTHORITY\Authenticated Users:(RX,W)
            NT AUTHORITY\SYSTEM:(RX,W)
            BUILTIN\Administrators:(RX,W)
            BUILTIN\Users:(RX)
            Everyone:(R)

If my understanding is correct concerning the precedence handling of an
ACL with multiple ACEs for the same user/ID, this result from grep
on the original, owning workstation would not surprise you:

F:\Dev\cygshoot>grep foo fileexp.txt
grep: fileexp.txt: Permission denied

but it blows me completely away.  Clearly I no longer have an environment
in which I can work on any file from any workstation using any Cygwin
utilities.

What have I messed up?





--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Reply via email to