Loading ...
Sorry, an error occurred while loading the content.

Re: Win32 ACLs unreliable.

Expand Messages
  • Mike Williams
    ... Until we write a replacement for GetEffectiveRightsFromAcl() - admittedly not a nice solution as this could be a fair amount of code. ... Maybe, I ll
    Message 1 of 11 , Mar 4, 2002
    • 0 Attachment
      On 3 Mar 2002 at 13:15, Bram Moolenaar wrote:

      > > The only reliable approach to ACL handling seems to be to get down and
      > > dirty with the low level system calls. A quick Google search has
      > > turned up the following page as having sample code that could be used
      > > as a basis for rewriting the ACL checking:
      > >
      > > http://mvps.org/win32/security/fksec.html
      > >
      > > Until I (or someone else) gets a chance to review this and reimplement
      > > the relevant bits in C (it's in C++) I recommend that Yet Another
      > > Option (TM - V.Negri) is added to turn off ACL checking that users can
      > > use if they experience problems. Not a full solution but at least
      > > that should prevent a large number of complaints.
      >
      > I don't like adding an option for this. It's not a real solution, it
      > just shifts the problem towards the user.

      Until we write a replacement for GetEffectiveRightsFromAcl() - admittedly not a nice
      solution as this could be a fair amount of code.

      > How about an alternative: Can we try writing to the file to find out if
      > it's writable? Opening the file for appending should not change the
      > file in any way. The possible side effect is that the timestamp of the
      > file changes when you edit it with Vim.

      Maybe, I'll investigate.

      > This should at least be restricted to file systems that have ACL
      > capabilities.

      Doing it in acl_check() will ensure that the check for the file system supporting ACLs
      has been done.

      > Alternatively, we can assume all files on ACL'ed file systems are
      > writable, since mostly people complain if a file is marked read-only
      > while its actually writable.

      The original bug report was due to assuming this - someone reported that he was
      unable to write to a file not marked as read-only due to an ACL not allowing writes.
      How ironic ;)

      I'm verging back towards remove ACL support on Windows. I doubt anywhere that is
      using ACLs in anger would have VIM around - they would be having som many
      problems with other applications that don't take notice of ACLs.

      Mike
      --
      Genealogy tracing us back to the same brother and sister.
    • Bram Moolenaar
      ... It indeed appears that going back to the old solution would be better. One last attempt to do at least some ACL things: Can we add a check that returns
      Message 2 of 11 , Mar 4, 2002
      • 0 Attachment
        Mike Williams wrote:

        > > How about an alternative: Can we try writing to the file to find out if
        > > it's writable? Opening the file for appending should not change the
        > > file in any way. The possible side effect is that the timestamp of the
        > > file changes when you edit it with Vim.
        >
        > Maybe, I'll investigate.
        >
        > > This should at least be restricted to file systems that have ACL
        > > capabilities.
        >
        > Doing it in acl_check() will ensure that the check for the file system
        > supporting ACLs has been done.
        >
        > > Alternatively, we can assume all files on ACL'ed file systems are
        > > writable, since mostly people complain if a file is marked read-only
        > > while its actually writable.
        >
        > The original bug report was due to assuming this - someone reported
        > that he was unable to write to a file not marked as read-only due to
        > an ACL not allowing writes. How ironic ;)
        >
        > I'm verging back towards remove ACL support on Windows. I doubt
        > anywhere that is using ACLs in anger would have VIM around - they
        > would be having som many problems with other applications that don't
        > take notice of ACLs.

        It indeed appears that going back to the old solution would be better.
        One last attempt to do at least some ACL things: Can we add a check that
        returns three possible values:
        ACL check returns "file is writable"
        ACL check returns "file is r/o"
        ACL is unreliable, ignore it.

        And then use the third option whenever we have some doubt that ACL is
        actually working. When that's always the case, it should be very simple
        to implement! :-)

        --
        hundred-and-one symptoms of being an internet addict:
        118. You are on a first-name basis with your ISP's staff.

        /// Bram Moolenaar -- Bram@... -- http://www.moolenaar.net \\\
        /// Creator of Vim -- http://vim.sf.net -- ftp://ftp.vim.org/pub/vim \\\
        \\\ Project leader for A-A-P -- http://www.a-a-p.org ///
        \\\ Help me helping AIDS orphans in Uganda - http://iccf-holland.org ///
      • Vince Negri
        ... On NT4 Sp4, GetEffectiveRightsFromAcl() returns bilge, so the answer on this platform would always be number 3! I think that until someone hand-rolls a
        Message 3 of 11 , Mar 4, 2002
        • 0 Attachment
          > Bram Moolenaar [SMTP:Bram@...] wrote:
          >
          > It indeed appears that going back to the old solution would be better.
          > One last attempt to do at least some ACL things: Can we add a check that
          > returns three possible values:
          > ACL check returns "file is writable"
          > ACL check returns "file is r/o"
          > ACL is unreliable, ignore it.

          > And then use the third option whenever we have some doubt that ACL is
          > actually working. When that's always the case, it should be very simple
          > to implement! :-)

          On NT4 Sp4, GetEffectiveRightsFromAcl() returns bilge, so the answer on
          this platform would always be number 3!

          I think that until someone hand-rolls a VimGetEffectiveRightsFromAcl()
          which actually works, Win32 ACL-checking should be compiled out for 6.1
          final.

          Vince
        • Mike Williams
          ... Oh it is easy - just return the 3rd value all the time. :-) The ACL works fine, the Win32 function that builds the access mask from the ACL is unreliable,
          Message 4 of 11 , Mar 4, 2002
          • 0 Attachment
            On 4 Mar 2002 at 11:17, Bram Moolenaar wrote:

            > It indeed appears that going back to the old solution would be better.
            > One last attempt to do at least some ACL things: Can we add a check that
            > returns three possible values:
            > ACL check returns "file is writable"
            > ACL check returns "file is r/o"
            > ACL is unreliable, ignore it.
            >
            > And then use the third option whenever we have some doubt that ACL is
            > actually working. When that's always the case, it should be very simple
            > to implement! :-)

            Oh it is easy - just return the 3rd value all the time. :-) The ACL works fine, the
            Win32 function that builds the access mask from the ACL is unreliable, buggy,
            kapput! The problem depends on the host OS and service pack, the networked
            machine's OS and service pack, the contents of the ACL, and how the host OS joined
            the network that the network machine is part of (and possibly other factors which MS
            have not owned up to yet!)

            The only solution is to roll our own version of GetEffectiveRightsFromAcl(), which is
            most likely easier than resolving the above conditions to see if we should bother
            checking the ACL in the first place :-(

            Well, I'll try the open for write hack and see what happens.

            Mike
            --
            Belladonna: In Italian, a beautiful lady; in English a deadly poison.
          • vipin aravind
            another way would be to ship advapi32.dll(proper one SP5) renamed to someother dll with vim. Is that redistributable? and then
            Message 5 of 11 , Mar 4, 2002
            • 0 Attachment
              another way would be to ship advapi32.dll(proper one SP5)
              renamed to someother dll with vim.
              Is that redistributable?
              and then getproc and use as it is done now.
              vipin

              > > Bram Moolenaar [SMTP:Bram@...] wrote:
              > >
              > > It indeed appears that going back to the old solution would be better.
              > > One last attempt to do at least some ACL things: Can we add a check that
              > > returns three possible values:
              > > ACL check returns "file is writable"
              > > ACL check returns "file is r/o"
              > > ACL is unreliable, ignore it.
              >
              > > And then use the third option whenever we have some doubt that ACL is
              > > actually working. When that's always the case, it should be very simple
              > > to implement! :-)
              >
              > On NT4 Sp4, GetEffectiveRightsFromAcl() returns bilge, so the answer on
              > this platform would always be number 3!
              >
              > I think that until someone hand-rolls a VimGetEffectiveRightsFromAcl()
              > which actually works, Win32 ACL-checking should be compiled out for 6.1
              > final.
              >
              > Vince
              >
            • Mike Williams
              I don t know for sure, but my guess would be you cannot redistribute. A couple of years ago there was a major bug in one of the standard dialog dlls (I forget
              Message 6 of 11 , Mar 4, 2002
              • 0 Attachment
                I don't know for sure, but my guess would be you cannot redistribute.

                A couple of years ago there was a major bug in one of the standard dialog dlls (I
                forget which one). A number of software companies wanted to redistribute it with
                their application but MS would only allow them to do this as part of an IE distribution
                (IIRC) Anyway, it was something like a 5MB distribution for a 300KB dll.

                On 4 Mar 2002 at 16:21, vipin aravind wrote:

                > another way would be to ship advapi32.dll(proper one SP5)
                > renamed to someother dll with vim.
                > Is that redistributable?
                > and then getproc and use as it is done now.
                > vipin
                >
                > > > Bram Moolenaar [SMTP:Bram@...] wrote:
                > > >
                > > > It indeed appears that going back to the old solution would be better.
                > > > One last attempt to do at least some ACL things: Can we add a check that
                > > > returns three possible values:
                > > > ACL check returns "file is writable"
                > > > ACL check returns "file is r/o"
                > > > ACL is unreliable, ignore it.
                > >
                > > > And then use the third option whenever we have some doubt that ACL is
                > > > actually working. When that's always the case, it should be very simple
                > > > to implement! :-)
                > >
                > > On NT4 Sp4, GetEffectiveRightsFromAcl() returns bilge, so the answer on
                > > this platform would always be number 3!
                > >
                > > I think that until someone hand-rolls a VimGetEffectiveRightsFromAcl()
                > > which actually works, Win32 ACL-checking should be compiled out for 6.1
                > > final.
                > >
                > > Vince
                > >
                >
                >

                Mike
                --
                Experience is a good teacher but her fees are high...
              • Vince Negri
                ... There is a file installed with VC++ called redist.txt which lists what you can redistribute. advapi32.dll isn t on the list, so the answer is no, you
                Message 7 of 11 , Mar 4, 2002
                • 0 Attachment
                  > > another way would be to ship advapi32.dll(proper one SP5)
                  > > renamed to someother dll with vim.
                  > > Is that redistributable?
                  > > and then getproc and use as it is done now.
                  > > vipin
                  > >
                  >
                  There is a file installed with VC++ called "redist.txt" which lists what
                  you can redistribute.

                  advapi32.dll isn't on the list, so the answer is no, you can't redistribute
                  it with Vim.
                • Bram Moolenaar
                  ... That file is very likely copyright protected. And who knows what the interference with other applications will be when you replace it? Better stay away
                  Message 8 of 11 , Mar 4, 2002
                  • 0 Attachment
                    Vipin Aravind wrote:

                    > another way would be to ship advapi32.dll(proper one SP5)
                    > renamed to someother dll with vim.
                    > Is that redistributable?
                    > and then getproc and use as it is done now.

                    That file is very likely copyright protected. And who knows what the
                    interference with other applications will be when you replace it?
                    Better stay away from system .dll files!

                    --
                    hundred-and-one symptoms of being an internet addict:
                    119. You are reading a book and look for the scroll bar to get to
                    the next page.

                    /// Bram Moolenaar -- Bram@... -- http://www.moolenaar.net \\\
                    /// Creator of Vim -- http://vim.sf.net -- ftp://ftp.vim.org/pub/vim \\\
                    \\\ Project leader for A-A-P -- http://www.a-a-p.org ///
                    \\\ Help me helping AIDS orphans in Uganda - http://iccf-holland.org ///
                  Your message has been successfully submitted and would be delivered to recipients shortly.