Friday, February 15, 2008

cygwin messes up windows permissions, cacl fixes them

I recently had the misfortune to work in a windows environment via cygwin+openssh

This is a seemingly civilized configuration - to my unix-biased way of thinking - as cygwin gives me a shell and ssh is a very familiar way to access machines for logins and automation.

Unfortunately, Windows has a very complex permissions scheme (ACLs) and cygwin+openssh+scp just won't honor Windows permissions. No matter how I tried, the files would land on the server without properly inheriting the permissions of the directories they landed in.

Luckily, Windows provides a relatively easy way to fix this problem in the utility cacls.

What I ended up doing was using cacls with the '/S' switch to get the string representation of the parent directory of the location I copied files to, then used the '/S:' switch again, this time with the string I got from the first invocation, but now targeted at the actual directory I was working in.

You can use the nifty "AccessEnum" utility (google it) to verify your permissions a lot more quickly than a ton of right-click/sharing-tab examinations.

Poof, perfectly consistent permissions.

I'll continue choosing unix for my servers though, thank you...

5 comments:

gregsliva said...

Anyway you can send me the exact syntax you used for cacls. I have experieinced this same misfortune and have not found a viable solution as of yet.

Roger Pack said...

man why does cygwin mess up permissions like this?

Mike Hardy said...

Near as I can tell, it messes up the permissions because it just has no idea about ACLs (it only knows unix permissions), and what it doesn't know it messes up royally. What I don't understand is what abstraction is being punctured such that it's creating a directory with no specific permissions, as a sub-directory of something that has specific permissions and is set such that they are inherited - yet the sub-directory doesn't inherit. That was infuriating, to me.

Greg - you asked a question 3 years ago and I just never saw it - sorry - I can tell you that I was just literally using the /S to pull the blob of characters that represented the ACL, storing it as a local variable in a perl script, then using the switch again with the value from the variable to punch the ACL blob back in on the sub-directories...

Matt T said...

You could also try using icacls.
If you have a parent directory with the correct permissions that you want to 'push' down the tree, try 'icacls [directory] /reset /T /C /Q' from within your cygwin session.

papaSmalls said...

icacls [directory] /reset /T /C /Q worked perfectly me for me. Thanks for this post!