Re: permissions and ACLs
On Tue, 10 Jan 2006, Ken Senior wrote: Cygwin gurus, Frustrated by permission problems resulting from having two accounts with the same user name (one domain, one local) I decided to start over with my cygwin installation. Instead of simply changing one of the usernames as I suggested... Way to go. This time, I logged in as local administrator (account name say [EMAIL PROTECTED]) and installed cygwin as this user. Then, to make sure I could read and use cygwin from my domain account I used the Windows ACLs to also grant my domain account Full Control to all the files in C:\cygwin. Thus, both my [EMAIL PROTECTED] (local admin) and my [EMAIL PROTECTED] (domain admin) have Full Control to files in C:\cygwin. But, while logged in both as [EMAIL PROTECTED] and as [EMAIL PROTECTED] I tried from Windows Explorer to delete a file and was informed that I do not have permission! So, I launched the cygwin bash window (from [EMAIL PROTECTED]) and performed a chmod 777 on the file (which cygwin allowed) and STILL can't delete the file: [EMAIL PROTECTED] /usr/bin $ ls -la rsync.exe -rwxrwxrwx 1 senior Users 245248 Aug 18 03:56 rsync.exe [EMAIL PROTECTED] /usr/bin $ rm -f rsync.exe rm: cannot remove `rsync.exe': Permission denied [EMAIL PROTECTED] /usr/bin $ The ability to delete files in a directory is part of the permission bits of the *directory*, not the individual files (unless the sticky bit is set, and even then, only the owner of the file matters). I have read the documentation on NTSEC and from my limited understanding of it was able to glean that using the Windows ACLs was probably not the right way to grant access to the [EMAIL PROTECTED] account. What is the best way to allow access of cygwin to *all* administrators and can I repair this permissions on this installation? Thanks again. You can do it via Cygwin as well -- when you ran a chmod, did you forget the directories? My CYGWIN environment variable is set to CYGWIN binmode ntsec tty title server and the /etc/passwd file follows. [EMAIL PROTECTED] /usr/bin $ less /etc/passwd SYSTEM:*:18:544:,S-1-5-18:: Administrators:*:544:544:,S-1-5-32-544:: Administrator:unused_by_nt/2000/xp:500:513:U-LOCAL\Administrator,S-1-5-21-484763869-1563985344-682003330-500:/home/Administrator:/bin/bash Guest:unused_by_nt/2000/xp:501:513:U-LOCAL\Guest,S-1-5-21-484763869-1563985344-682003330-501:/home/Guest:/bin/bash HelpAssistant:unused_by_nt/2000/xp:1000:513:Remote Desktop Help Assistant Account,U-LOCAL\HelpAssistant,S-1-5-21-484763869-1563985344-682003330-1000:/home/Hel pAssistant:/bin/bash admin:unused_by_nt/2000/xp:1003:513:U-LOCAL\admin,S-1-5-21-484763869-1563985344-682003330-1003:/home/admin:/bin/bash sshd:unused_by_nt/2000/xp:1020:513:sshd privsep,U-LOCAL\sshd,S-1-5-21-484763869-1563985344-682003330-1020:/var/empty:/bin/bash SUPPORT_388945a0:unused_by_nt/2000/xp:1002:513:CN=Microsoft Corporation,L=Redmond,S=Washington,C=US,U-LOCAL\SUPPORT_388945a0,S-1-5-21-484763869-1563985344-682003330-1002:/home/SUPPORT_388945a0:/bin/bash I noticed that you have neither the local nor the domain senior account in your /etc/passwd. That may spell trouble. Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_[EMAIL PROTECTED] | [EMAIL PROTECTED] ZZZzz /,`.-'`'-. ;-;;,_Igor Peshansky, Ph.D. (name changed!) |,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte. But no -- you are no fool; you call yourself a fool, there's proof enough in that! -- Rostand, Cyrano de Bergerac -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: permissions and ACLs
Igor, I changed the text of my email to make it more readable, replacing senior with admin as well as the name of my domain and machine. I'll leave the correct names this time. Yes, I actually did a recursive chown on everything below /, and it still doesn't work. I can't really see the permissions on /usr/bin since it is strangely mounted separately from the other directories in /usr: [EMAIL PROTECTED] /usr $ ls -la total 0 drwxrwx---+ 16 senior Users 0 Jan 9 13:31 . drwxrwx---+ 9 senior Users 0 Jan 9 13:32 .. drwxrwx---+ 8 senior Users 0 Jan 9 13:31 X11R6 drwxrwx---+ 4 senior Users 0 Jan 9 13:28 doc drwxrwx---+ 2 senior Users 0 Jan 9 13:28 etc drwxrwx---+ 3 senior Users 0 Jan 9 13:28 i686-pc-cygwin drwxrwx---+ 2 senior Users 0 Jan 9 13:31 i686-pc-mingw32 drwxrwx---+ 11 senior Users 0 Jan 9 13:31 include drwxrwx---+ 2 senior Users 0 Jan 10 07:40 info drwxrwx---+ 6 senior Users 0 Jan 10 07:43 local drwxrwx---+ 5 senior Users 0 Jan 9 13:29 man drwxrwx---+ 3 senior Users 0 Jan 9 13:29 sbin drwxrwx---+ 19 senior Users 0 Jan 10 07:39 share drwxrwx---+ 2 senior Users 0 Jan 9 13:28 src drwxrwx---+ 6 senior Users 0 Jan 9 13:29 ssl drwxrwx---+ 2 senior Users 0 Jan 9 13:28 tmp [EMAIL PROTECTED] /usr $ mount C:\cygwin\bin on /usr/bin type system (binmode) C:\cygwin\lib on /usr/lib type system (binmode) C:\cygwin on / type system (binmode) c: on /cygdrive/c type system (binmode,noumount) [EMAIL PROTECTED] /usr $ chown -R senior / [EMAIL PROTECTED] /usr $ cd /usr/bin [EMAIL PROTECTED] /usr/bin $ rm rsync.exe rm: cannot remove `rsync.exe': Permission denied [EMAIL PROTECTED] /usr/bin $ chmod u+w /usr/bin [EMAIL PROTECTED] /usr/bin $ rm rsync.exe rm: cannot remove `rsync.exe': Permission denied [EMAIL PROTECTED] /usr/bin $ ls -la rsync.exe -rwxrwxrwx 1 senior root 245248 Aug 18 03:56 rsync.exe [EMAIL PROTECTED] /usr/bin $ less /etc/passwd [EMAIL PROTECTED] /usr/bin $ less /etc/passwd SYSTEM:*:18:544:,S-1-5-18:: Administrators:*:544:544:,S-1-5-32-544:: Administrator:unused_by_nt/2000/xp:500:513:U-ROMULUS\Administrator,S-1-5-21-4847 63869-1563985344-682003330-500:/home/Administrator:/bin/bash Guest:unused_by_nt/2000/xp:501:513:U-ROMULUS\Guest,S-1-5-21-484763869-1563985344 -682003330-501:/home/Guest:/bin/bash HelpAssistant:unused_by_nt/2000/xp:1000:513:Remote Desktop Help Assistant Accoun t,U-ROMULUS\HelpAssistant,S-1-5-21-484763869-1563985344-682003330-1000:/home/Hel pAssistant:/bin/bash senior:unused_by_nt/2000/xp:1003:513:U-ROMULUS\senior,S-1-5-21-484763869-1563985 344-682003330-1003:/home/senior:/bin/bash sshd:unused_by_nt/2000/xp:1020:513:sshd privsep,U-ROMULUS\sshd,S-1-5-21-48476386 9-1563985344-682003330-1020:/var/empty:/bin/bash SUPPORT_388945a0:unused_by_nt/2000/xp:1002:513:CN=Microsoft Corporation,L=Redmon d,S=Washington,C=US,U-ROMULUS\SUPPORT_388945a0,S-1-5-21-484763869-1563985344-682 003330-1002:/home/SUPPORT_388945a0:/bin/bash -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: permissions and ACLs
Btw, to further help diagnose, I notice the read-only box is shaded and checked for the C:\cygwin directory. I have repeatedly (as administrator on the machine) tried to uncheck this box. The dialog at first appears to let me uncheck it, but when I go back into the dialog, the read-only box is still checked, and shaded. Some other sentient entity is stubbornly controlling permissions on this directory. You would think administrator on the machine can do what he wants, but alas no! -K -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: permissions and ACLs
Ken Senior schrieb: Frustrated by permission problems resulting from having two accounts with the same user name (one domain, one local) I decided to start over with my cygwin installation. This time, I logged in as local administrator (account name say [EMAIL PROTECTED]) and installed cygwin as this user. Then, to make sure I could read and use cygwin from my domain account I used the Windows ACLs to also grant my domain account Full Control to all the files in C:\cygwin. Thus, both my [EMAIL PROTECTED] (local admin) and my [EMAIL PROTECTED] (domain admin) have Full Control to files in C:\cygwin. But, while logged in both as [EMAIL PROTECTED] and as [EMAIL PROTECTED] I tried from Windows Explorer to delete a file and was informed that I do not have permission! Cygwin doesn't have an independent set of file permissions, the acls of windows are just translated to cygwin, use getfacl to view them. If you can't do it in windows, cygwin won't help. I suggest getting the permissions right in windows before using cygwin. To view the permissions set on a file use cacls or xcacls (from windows support tools). The hidden readonly and system flags overrule acl entrys (set with attrib). On a mounted share the rescriction on the share overrule acl entrys. If you can't delete a file as administrator and think you should, please post the output from cacls on this file. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: permissions and ACLs
Ken Senior schrieb: Btw, to further help diagnose, I notice the read-only box is shaded and checked for the C:\cygwin directory. I have repeatedly (as administrator on the machine) tried to uncheck this box. The dialog at first appears to let me uncheck it, but when I go back into the dialog, the read-only box is still checked, and shaded. Some other sentient entity is stubbornly controlling permissions on this directory. You would think administrator on the machine can do what he wants, but alas no! -K That doesn't mean the has to be readonly. The readonly box in explorer isn't a reliable way to determine the settings on file/directory. Having some inherited rights seems to trigger that display. Ask the programmers of explorer about that. To view the permissions on a file/directory use cmd.exe with attrib and cacls. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: permissions and ACLs
Ok, I tried attrib to no avail. After the machine accepted and seemed to process the commands, I entered the file properties dialog and the read-only box is still shaded. Also, I still can't delete the C:\cygwin\bin\rsync.exe file. C:\cygwin\binmount C:\cygwin\bin on /usr/bin type system (binmode) C:\cygwin\lib on /usr/lib type system (binmode) C:\cygwin on / type system (binmode) c: on /cygdrive/c type system (binmode,noumount) C:\cygwin\binattrib -R C:\cygwin /S /D C:\cygwin\binattrib -R C:\cygwin\bin /S /D C:\cygwin\binrm rsync.exe rm: cannot remove `rsync.exe': Permission denied C:\cygwin\bincacls c:\cygwin\bin\rsync.exe c:\cygwin\bin\rsync.exe SPACEAPPS\senior:F ROMULUS\senior:F I can't even wipe out the directory to start over. Here's the getfacl output for / and for /usr/bin/ [EMAIL PROTECTED] ~ $ getfacl / # file: / # owner: senior # group: Users user::rwx user:senior:rwx group::--- mask:rwx other:--- default:user:senior:rwx default:mask:rwx [EMAIL PROTECTED] ~ $ getfacl /usr/bin # file: /usr/bin # owner: senior # group: Users user::rwx user:senior:rwx group::rwx mask:rwx other:--- default:user:senior:rwx default:mask:rwx [EMAIL PROTECTED] ~ $ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: permissions and ACLs
Ken Senior schrieb: Ok, I tried attrib to no avail. After the machine accepted and seemed to process the commands, I entered the file properties dialog and the read-only box is still shaded. This box is irrelevant. Also, I still can't delete the C:\cygwin\bin\rsync.exe file. Please give the output of attrib rsync.exe cacls rsync.exe -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: permissions and ACLs
C:\cygwincd bin C:\cygwin\binattrib rsync.exe A C:\cygwin\bin\rsync.exe C:\cygwin\bincacls rsync.exe C:\cygwin\bin\rsync.exe SPACEAPPS\senior:F ROMULUS\senior:F -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: permissions and ACLs
Ken Senior schrieb: C:\cygwin\bincacls rsync.exe C:\cygwin\bin\rsync.exe SPACEAPPS\senior:F ROMULUS\senior:F So if i get this right ROMOLUS is your local machine. The rights look good. Now, if you can't delete that file logged in as ROMOLUS\senior using cmd.exe and del, we have to take a look at the directorys C:\cygwin\bin and C:\cygwin. Please give the output of attrib and cacls on them. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: permissions and ACLs
Yes, ROMULUS is my local machine and senior the administrator on it. Sometimes you just have to cut your losses. Thanks for the help, but I was able to rename the C:\cygwin directory, then delete it. I couldn't just delete it first, only after renaming it, which surprisingly I was allowed to do. Maybe I'll try this package some other day when I'm less frustrated. For now, I'll just samba mount my PC onto a Linux box and back it up that way. Thanks again -Ken -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: permissions and ACLs
Ken Senior schrieb: Yes, ROMULUS is my local machine and senior the administrator on it. Just for the record, can it be that senior is in the Administrators group and not the name changed real Adminstrator? Sometimes you just have to cut your losses. Thanks for the help, but I was able to rename the C:\cygwin directory, then delete it. I couldn't just delete it first, only after renaming it, which surprisingly I was allowed to do. Maybe I'll try this package some other day when I'm less frustrated. For now, I'll just samba mount my PC onto a Linux box and back it up that way. What you are experiencing aren't realy cygwin problems, but just the usal messing around with windows acls. If you can't delete something in windows, usually the 'real' Administrator can take ownership of it and than give himself the rights to delete it, which needs acls in the directory too. Before reinstalling check the rights on the C:\, maybe something got inherited from there. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/