[Bug 33576] Multiple applications need persistence support for ACL/file security information (storage in extended file attributes)(Paint Tool SAI, Finale Notepad 2012, SmartDeviceMonitor)

Tue Jun 23 11:31:13 CDT 2015

https://bugs.winehq.org/show_bug.cgi?id=33576

--- Comment #25 from Erich E. Hoover <erich.e.hoover at wine-staging.com> ---
(In reply to Piotr Caban from comment #23)
> I've looked why Pain Tool SAI doesn't work in wine. The application checks
> that "everyone" is able to change file permissions. It doesn't much Unix
> permissions scheme where only root and owner can do that.
> 
> Returning fake permission is not a good idea since it will not work when
> there's support for multiple user accounts in wine. I wonder if it's
> possible to set such permissions using Linux ACL's.

Sorry it's taken me a while to respond to this, but here goes.  According to
the folks over at Samba, Linux ACLs cannot represent all of the state data
contained in an NT ACL (this ACL is probably a good example).  This means that
while some of the information contained in the ACL can be properly represented,
the rest of it is somewhat problematic.

My personal opinion is that we should:
(1) Faithfully store the _entire_ security descriptor, the implementation for
doing that that I put together (and Sebastian has updated) is available here:
https://github.com/wine-compholio/wine-staging/tree/master/patches/server-Stored_ACLs
(2) Also represent (as accurately as possible) the ACLs by converting to
Linux/POSIX ACLs
(3) Put together a kernel module that recognizes NT ACLs so that the kernel
will be able to faithfully reproduce the entire NT ACL

Toward (1) I tried to upstream my DOS extended attribute support a while back (
https://github.com/wine-compholio/wine-staging/tree/master/patches/ntdll-DOS_Attributes
), but AJ was not satisfied with the solution.  It was not entirely clear how
to proceed in a way that would satisfy him.  DOS extended attributes are
required for reproducing a lot of other weird behavior (like files with the
read only flag set), so I think that that patchset should somewhat be
considered to be stand-alone.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.