# cygwin + NTFS permissions = badness

Wednesday, 09 March 2005

Cygwin is "a Linux-like environment for Windows." Basically it provides all (or at least a large set) of the standard Linux command line tools for Windows. A lot of open source projects (e.g. Mozilla, for a big one) have based their Windows build systems on Cygwin because it simplifies the problems with trying to get a make-based build system to work on Windows.

NTFS (the file system for WinNT, Win2k, WinXP, Win2k3) uses Access Control Lists (ACLs) for managing file permissions. If you have ever been frustrated by not being able delete a file on Windows: your NTFS ACLs might be the culprit.

I don't pretend to fully understand NTFS ACLs, but follow along with this little experiment and decide if you think there is a problem waiting to happen here. For this experiment you'll need xcacls.exe from the Windows Resource Kit. This is a little command-line tool for dumping NTFS ACL information. You can also view ACL information by opening the "Propeties" dialog for a file in Explorer and selecting the "Security" tab.

First let's create a small test file in the regular Windows command shell (cmd.exe) and list the NTFS ACL information:

C:\temp>echo this is foo.txt > foo.txt

C:\temp>xcacls foo.txt
ACTIVE\trentm:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R


This seems reasonable: the "Administrators", "trentm" (that's me), and "SYSTEM" users have full (F) permissions on that file and the "Users" account has read (R) access.

Now let's create a file using one of the cygwin utilities and dump the NTFS ACL information. I'll use tee here, but other tools that create files (like tar, gzip, etc.) will have the same result.

C:\temp>echo this is bar.txt | tee bar.txt
this is bar.txt

C:\temp>xcacls bar.txt
C:\temp\bar.txt ACTIVE\trentm:(special access:)
STANDARD_RIGHTS_ALL
DELETE
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_GENERIC_WRITE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES

BUILTIN\Users:(special access:)
SYNCHRONIZE
FILE_GENERIC_WRITE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES

Everyone:(special access:)
SYNCHRONIZE
FILE_GENERIC_WRITE
FILE_WRITE_DATA
FILE_APPEND_DATA

I don't want to unnecessarily ring alarm bells because my experience has shown that this usually doesn't cause problems in normal usage of the cygwin tools (we use them heavily here at ActiveState). However, yesterday something happened with respect to NTFS ACLs on my Windows developement machine yesterday such that I no longer have write permissions for files created by the Cygwin tools. I can't help but think that the difference in ACL information for foo.txt and bar.txt in this experiment is part of the problem.