FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Wed Nov 25, 2020 10:35



Post new topic Reply to topic  [ 71 posts ]  Go to page 1, 2, 3  Next
Inherit privileges from parent folder for new created files 
Author Message

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Inherit privileges from parent folder for new created files
[This issue was posted earlier on ntfs-3g-devel at lists.sourceforge.net, I just copy-paste the initial conversation]

jpa wrote:
Hi,
UlfZibis wrote:
Hi all,

If I mount a NTFS-partition with Ubuntu in default manner, the new created files and folders have
all privileges for anybody when later accessed from Windows. How can I manage with ntfs-3g, that new
created files and folders inherit the privileges from the containing folder?

There are two permission inheritance modes available in
ntfs-3g : The (so-called) Posix one, and the Windows one.

In both cases, you have to define the user mapping so that
for each user, Linux and Windows identify the file ownership
the same way.

For the Posix inheritance mode, you have to mount with
option "acl".

For the Windows inheritance mode, you have to mount with
option "inherit".

In both cases you have to define in the parent directory
the permissions to be inherited. The inheritance does
not apply to ownership, the user who creates a file is
always its owner (same for group).

Note : Windows rules are different from Linux rules. If
you use Windows inheritance, you will get unusual permissions
on Linux, and if you do a chmod or chown you switch to
Linux mode leading to unusual permissions on Windows.

Details on
http://www.tuxera.com/community/ntfs-3g ... rmissions/

Jean-Pierre


Sat Apr 05, 2014 00:07
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
Hi again,

because the correct configuration of a UserMapping is rather complicated I ask, if it would be possible to allow the inherit option without permissions or any UserMapping.

I think, normal users just want, that new created, copied and moved files and folders just inherit the Windows permissions from their parent folder.
Is there any technical hurdle to establish this possibility?


Sat Apr 05, 2014 00:19
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Inherit privileges from parent folder for new created files
Hi,

Quote:
because the correct configuration of a UserMapping is rather complicated I ask, if it would be possible to allow the inherit option without permissions or any UserMapping.

This is possible for the permissions, not for ownership.
Quote:
I think, normal users just want, that new created, copied and moved files and folders just inherit the Windows permissions from their parent folder.
Is there any technical hurdle to establish this possibility?

Windows defines the owner of a file as the user who creates the file. When the file is created by Linux and no mapping is defined, Linux cannot set the correct owner, so the owner of the parent directory is used instead.
This lead to problems when the directory and the file should have different owners. For instance, the home directory of users is generally owned by root, so all files and directories created there will also be owned by root. In such situations some permissions related to owner will be wrong on Windows.

Try the attached patch "just-inherit.patch" with no user mapping file or "permissions" option, still with "inherit" option.

Regards

Jean-Pierre


Attachments:
just-inherit.patch.gz [406 Bytes]
Downloaded 2061 times
Sat Apr 05, 2014 11:01
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
Hi Jean-Pierre,

this patch is absolutely perfect, such as I was long time looking for and the origin reason, why I started looking deeper.
It should go into release and Linux distributors should be told to enable the inherit option by default. It's absolutely mandatory, that an object, located in a Windows user directory, should only be accessible from its own Windows user.


jpa wrote:
Windows defines the owner of a file as the user who creates the file. When the file is created by Linux and no mapping is defined, Linux cannot set the correct owner, so the owner of the parent directory is used instead.
This lead to problems when the directory and the file should have different owners. For instance, the home directory of users is generally owned by root, so all files and directories created there will also be owned by root. In such situations some permissions related to owner will be wrong on Windows.
I cannot see any problem with this, but maybe you know better. A file, created directly in users home directory is (1) inadvisable, but (2) editable, re-nameable and deletable without problems as I tried after using your patch. Same for files and folders in E:\Public\ from all Windows users, this is really great.


The only disfigurement are the still duplicated superfluous permissions of folders:
Attachment:
Duplicated folder permissions.png
Duplicated folder permissions.png [ 66.32 KiB | Viewed 62522 times ]


Very much thanks for this,

Ulf


Sat Apr 05, 2014 21:06
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
Correction:

I meant: Same for files and folders in *:\Users\Public\ ...


Sat Apr 05, 2014 21:28
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
Thinking again, IMHO I think, the inherit behaviour should be default at all. If one explicitly wants the current behaviour, i.e.: any new created file has all permissions to anybody on Windows, it could be offered by an option like e.g. public, noinherit ....

Maybe the problems you mentioned occurred with Windows XP, but here on Window 7 there seems no problem to me.


Sat Apr 05, 2014 23:29
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
See also: https://bugs.launchpad.net/ubuntu/+sour ... ug/1249674

Thanks,

Ulf


Sat Apr 05, 2014 23:48
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Inherit privileges from parent folder for new created files
Hi,

Quote:
I cannot see any problem with this, but maybe you know better. A file, created directly in users home directory is (1) inadvisable, but (2) editable, re-nameable and deletable without problems as I tried after using your patch. Same for files and folders in E:\Public\ from all Windows users, this is really great.

It is great you got what you wanted.
Quote:
The only disfigurement are the still duplicated superfluous permissions of folders:

I must have overlooked something. Can you be more precise about what you find non satisfactory ?
Quote:
It should go into release and Linux distributors should be told to enable the inherit option by default.

I will not support a change of behavior for standard mounting. There will be too many disoriented users.
Quote:
It's absolutely mandatory, that an object, located in a Windows user directory, should only be accessible from its own Windows user.

When a buy an external disk, factory formatted as ntfs, and you create a file from Linux in the home directory, who do you consider as "its own Windows user" ?

Ubuntu may do this in its own right and face the consequences. I will not.

Regards

Jean-Pierre


Sun Apr 06, 2014 10:10
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
jpa wrote:
Quote:
The only disfigurement are the still duplicated superfluous permissions of folders:

I must have overlooked something. Can you be more precise about what you find non satisfactory ?
As you can see in the screen shot there are 3 identities SYSTEM, Administratoren and Katrin which have permissions with full access, inherited from E:\Users\Katrin\. Additionally those 3 identities have special not inherited permissions. The latter are redundant, add no additional rights and therefore are superfluous. A folder, originally created from Windows in the same parent folder would not have those duplications. It would be more clean, if ntfs-3g would not add those redundant permissions when creating a new folder.

Quote:
I will not support a change of behavior for standard mounting. There will be too many disoriented users.
See my comment in https://bugs.launchpad.net/ubuntu/+sour ... ug/1249674.

Quote:
Quote:
It's absolutely mandatory, that an object, located in a Windows user directory, should only be accessible from its own Windows user.

When a buy an external disk, factory formatted as ntfs, and you create a file from Linux in the home directory, who do you consider as "its own Windows user" ?
Hmm, I'm not sure if I understand right, on an external disk, factory formatted as ntfs, there is no Windows user directory i.e. *:\Users\user\ so my statement would not apply there.


Mon Apr 07, 2014 01:58
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Inherit privileges from parent folder for new created files
Hi,
Quote:
As you can see in the screen shot there are 3 identities SYSTEM, Administratoren and Katrin which have permissions with full access, inherited from E:\Users\Katrin\. Additionally those 3 identities have special not inherited permissions. The latter are redundant, add no additional rights and therefore are superfluous. A folder, originally created from Windows in the same parent folder would not have those duplications.

Oh, I see. Actually they are not mergeable because they have different parameters.

However, this is not what I get on my computer, and I suspect this file was created with some different option or different patch. Try deleting the file and create it again.
Quote:
on an external disk, factory formatted as ntfs, there is no Windows user directory i.e. *:\Users\user\ so my statement would not apply there

Ok, if you have no requirements.

Regards

Jean-Pierre


Mon Apr 07, 2014 22:01
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
jpa wrote:
Hi,
Quote:
As you can see in the screen shot there are 3 identities SYSTEM, Administratoren and Katrin which have permissions with full access, inherited from E:\Users\Katrin\. Additionally those 3 identities have special not inherited permissions. The latter are redundant, add no additional rights and therefore are superfluous. A folder, originally created from Windows in the same parent folder would not have those duplications.

Oh, I see. Actually they are not mergeable because they have different parameters.
I do not understand your opinion. The not inherited permissions are a subset of the inherited permissions. So IMHO the additional inherited permissions are redundant and therefore superfluous.

Quote:
However, this is not what I get on my computer, and I suspect this file was created with some different option or different patch. Try deleting the file and create it again.
I tried again from scratch with new ntfs-3g 2014.2.15 + your just-inherit patch, no UserMapping and options default,inherit in the fstab. Same result :( I don't know, why you don't see the additional non-inherited permissions on a new created folder, not file.

Quote:
Quote:
on an external disk, factory formatted as ntfs, there is no Windows user directory i.e. *:\Users\user\ so my statement would not apply there

Ok, if you have no requirements.

I still have the requirement, if there is a Windows user directory i.e. *:\Users\user\, even on an external disk, and as consequence then there is a "its own Windows user".


Fri Apr 11, 2014 00:06
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Inherit privileges from parent folder for new created files
Hi,

Quote:
I do not understand your opinion. The not inherited permissions are a subset of the inherited permissions. So IMHO the additional inherited permissions are redundant and therefore superfluous.

They may appear superfluous, but the inherited permissions may be changed on Windows through dynamic inheritance, and the non-inherited ones cannot. So they should not be merged.
Quote:
Quote:
However, this is not what I get on my computer, and I suspect this file was created with some different option or different patch. Try deleting the file and create it again.

I tried again from scratch with new ntfs-3g 2014.2.15 + your just-inherit patch, no UserMapping and options default,inherit in the fstab. Same result :(

Ok, this is because you did not also apply the "no-chmod.patch" and you created the file with some tool which changes the permissions (same issue as the gedit one). Please retry with the additional patch.
Quote:
I don't know, why you don't see the additional non-inherited permissions on a new created folder, not file.

This is because you created the directory with another tool which does no chmod.

Regards

Jean-Pierre


Fri Apr 11, 2014 21:12
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
jpa wrote:
They may appear superfluous, but the inherited permissions may be changed on Windows through dynamic inheritance, and the non-inherited ones cannot. So they should not be merged.
When I am the creator of that folder and I just want solely inherited permissions, why should I worry about a theoretical scenario, as you describe, when I don't need and want it.

Quote:
Quote:
I don't know, why you don't see the additional non-inherited permissions on a new created folder, not file.

This is because you created the directory with another tool which does no chmod.
I do not know, which tool you mean. I was using nautilus to create new folders and also the new empty text files. To check, if there is something special with nautilus, I now created folders with "mkdir New_inherit", still without "no-chmod.patch". This results in same additional unwanted and therefore superfluous not-inherited permissions.

Yesterday I erroneously assigned users to katrin as primary group which deleted the Ubuntu defaults assignment to group katrin. With this, a new empty text file had the identical permissions as the edited result from gedit.


Fri Apr 11, 2014 23:38
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
jpa wrote:
Ok, this is because you did not also apply the "no-chmod.patch" and you created the file with some tool which changes the permissions (same issue as the gedit one). Please retry with the additional patch.

Hi, I now tested with both patches:
Code:
Created from Ubuntu:                       folder | file.txt~ | file.txt
(in /media/Daten/Users/Katrin/)
just-interit.patch                           1)        OK          OK
just-interit.patch + UserMapping             1)        OK          2)
just-interit+no-chmod.patch                  1)        OK          OK
just-interit+no-chmod.patch + UserMapping    1)        OK          OK

file.txt~, 0 byte  backup, renamed from gedit
file.txt,  5 byte  edited by gedit and saved

1)     inherited permissions ->OK  + superfluous not-inherited permissions ->BAD
2) not-inherited permissions ->BAD
However, problem 1) does not occur in /media/Daten/Users/Public/ with just-interit+no-chmod.patch.


Sun Apr 13, 2014 01:47
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
Hi again,

jpa wrote:
However, this is not what I get on my computer, and I suspect this file was created with some different option or different patch. Try deleting the file and create it again.
There may be another difference with yours and my computer.
The Windows accounts, which I tested with, were standard user accounts with restricted privileges.
Did you test on Windows account with administrative privileges?

Which is the correct order of the patches just-interit.patch and no-chmod.patch, because they change the same files?
Does it matter ?
I first executed just-interit.patch and then no-chmod.patch for my tests.


Sun Apr 13, 2014 16:04
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Inherit privileges from parent folder for new created files
Hi,

Quote:
There may be another difference with yours and my computer.
The Windows accounts, which I tested with, were standard user accounts with restricted privileges.
Did you test on Windows account with administrative privileges?

I tried both, in Windows user home directories.

Is /media/Daten/Users/Katrin/ the home directory of Katrin on the Windows system partition ? or is it on another partition (not the Windows system one) ?

Can you retry, with both patches applied, to create a new directory on Linux, also a subdirectory of the newly created directory. Please do it twice, first with mkdir, then with Nautilus (this is to detect a situation where Nautilus creates the directory elsewhere and then renames it - unlikely, but I want to be sure) :

With mkdir, do
Code:
mkdir /media/Daten/Users/Katrin/mkdir
mkdir /media/Daten/Users/Katrin/mkdir/mkdir

Similarly, with Nautilus, create /media/Daten/Users/Katrin/Nautilus and /media/Daten/Users/Katrin/Nautilus/Nautilus

Then please post the five secaudit outputs, so that I can retry with your settings :
Code:
ntfs-3g.secaudit -vv /media/Daten/Users/Katrin
ntfs-3g.secaudit -vv /media/Daten/Users/Katrin/mkdir
ntfs-3g.secaudit -vv /media/Daten/Users/Katrin/mkdir/mkdir
ntfs-3g.secaudit -vv /media/Daten/Users/Katrin/Nautilus
ntfs-3g.secaudit -vv /media/Daten/Users/Katrin/Nautilus/Nautilus

Quote:
Which is the correct order of the patches just-interit.patch and no-chmod.patch, because they change the same files?
Does it matter ?

The no-chmod patch was designed to be applied first, but the order should not matter.

Regards

Jean-Pierre


Sun Apr 13, 2014 18:53
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
jpa wrote:
Is /media/Daten/Users/Katrin/ the home directory of Katrin on the Windows system partition ? or is it on another partition (not the Windows system one) ?
Yep, Katrin is not on system partition. I have:
C:\Users\Default\
C:\Users\Administrator\
E:\Users\Katrin\
E:\Users\Lasse\
E:\Users\Jakob\
I also tried with C:\Users\Administrator\. There I had the same effect with the additional superfluous not-inherited permissions.

Quote:
Can you retry, with both patches applied, to create a new directory on Linux, also a subdirectory of the newly created directory. Please do it twice, first with mkdir, then with Nautilus (this is to detect a situation where Nautilus creates the directory elsewhere and then renames it - unlikely, but I want to be sure) :
With the info above, do you still need this test? I did some, but not so verbose, comparison yet but did not find any difference.
Does it matter, that I additionally have patched with acls.c.patch?


Sun Apr 13, 2014 20:09
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Inherit privileges from parent folder for new created files
Hi,

Quote:
With the info above, do you still need this test? I did some, but not so verbose, comparison yet but did not find any difference.

Yes, please. I do not have a similar configuration. I am specifically worried about the lack in your base directory of a reference to its owner.
Quote:
Does it matter, that I additionally have patched with acls.c.patch?

It does probably not matter, but I cannot be sure until I see the parent directory settings in the secaudit output.

Regards

Jean-Pierre


Sun Apr 13, 2014 21:23
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
UlfZibis wrote:
However, problem 1) does not occur in /media/Daten/Users/Public/ with just-interit+no-chmod.patch.
Here intermediately the results with additional acls.c.patch:
Code:
Created from Ubuntu:                            folder | file.txt~ | file.txt
(in /media/Daten/Users/Public/)
just-interit+no-chmod.patch                       3)        OK          OK
just-interit+no-chmod.patch + UserMapping         3)        OK          OK
just-interit+no-chmod+acls.c.patch                3)        OK          OK
just-interit+no-chmod+acls..cpatch + UserMapping  4)        OK          OK

file.txt~, 0 byte  backup, renamed from gedit
file.txt,  5 byte  edited by gedit and saved

3) only inherited permissions ->OK  + can not open folder with non-administrative account ->BAD
4) only inherited permissions ->OK  + can open folder from Katrin, but not from other " " ->BAD
   (All creations from Ubuntu were executed from katrin, so there was a valid user mapping with Windows Katrin.)


Sun Apr 13, 2014 22:57
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
jpa wrote:
Then please post the five secaudit outputs, so that I can retry with your settings :
Attachment:
Secaudit Katrin_mkdir_Nautilus.zip [1.7 KiB]
Downloaded 1745 times

Thanks, Ulf


Sun Apr 13, 2014 23:21
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Inherit privileges from parent folder for new created files
Hi,

Thank you for posting the secaudit outputs. I see that on the directory Katrin, there is an unusual flag "cannot be modified by inheritable ACEs" which does not exist on my computers (where the home directories are on the Windows system partition).

Something is apparently wrong in ntfs-3g as a consequence of this flag, and I have to design a test on Windows to determine the consequences of this flag in various conditions. This may take a few days, please be patient.

Regards

Jean-Pierre


Mon Apr 14, 2014 21:15
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
Hey wow, the source of the problem is found now.
Thanks for your kind collaboration to make ntfs-3g again more compliant with Windows NTFS, at least for my private untypical configuration.

-Ulf


Mon Apr 14, 2014 22:06
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
Maybe my attached registry scripts will help you to configure your system.
On Windows 7 first apply the registry script.
Then add a new user account.
Then log into the new user, this will automatically create the correct folder tree on the non-system partition.
On Windows XP, the procedure is a little more complicated, but my registry script may give you some hint.

Do you yet have some explanation about the non-accessible folders on the Public path i.e. E:\Users\Public ?


Attachments:
ProfileList.zip [1.48 KiB]
Downloaded 1624 times
Mon Apr 14, 2014 22:55
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Inherit privileges from parent folder for new created files
Hi,

Attached are two patches which may be of interest to you :

The first one (double-inheritance.patch) aims at solving the superflous ACE you got. Unfortunately this condition falls in a gray zone : According to MSDN in http://msdn.microsoft.com/en-us/library/windows/desktop/aa374924(v=vs.85).aspx "This occurs if the inheritable ACE contains generic information", but I have not been able to determine what is meant by "contains generic information", so I can only propose heuristics checked valid on home directories of Windows XP, Vista, Windows 7 and Windows 8.

The second patch (better-owner.patch) aims at improving the heuristics for setting an owner when the owner cannot be defined in the normal way (typically a user not mapped).

Regards

Jean-Pierre


Attachments:
better-owner.patch.gz [656 Bytes]
Downloaded 1790 times
double-inheritance.patch.gz [901 Bytes]
Downloaded 1656 times
Wed Apr 16, 2014 11:50
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Inherit privileges from parent folder for new created files
Hi,

are these patches meant on top of the just made patches or from scratch?
Are the new patches independent from each other?

Anyway, much thanks, Ulf


Wed Apr 16, 2014 15:13
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 71 posts ]  Go to page 1, 2, 3  Next


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.