(Administrator: Command Prompt)
E:\dev\Connect>d:\cygwin64\bin\sh
$ PATH=/bin:$PATH
$ ls -l UnarchiveAllPatients
total 25
drwxr-x---+ 1 jhudson Domain Users 0 Dec 1 13:06 Bin
-rwxr-x---+ 1 jhudson Domain Users 297 Dec 1 12:25 UnarchiveAllPatients.vbproj.user
drwxr-x---+ 1 jhudson Domain Users 0 Dec 1 13:06 obj
$ cd UnarchiveAllPatients
$ ls
Bin UnarchiveAllPatients.vbproj.user obj
$ exit
E:\dev\Connect>cd UnarchiveAllPatients
Access is denied.
E:\dev\Connect>
我不明白。sh可以 cd 到目录并像在目录中一样运行,但cmd不能。
rsync这是命令进行夜间备份的结果。
我觉得输出cacls似乎是错误的:
E:\dev\Connect>cacls UnarchiveAllPatients
E:\dev\Connect\UnarchiveAllPatients NULL SID:(DENY)(special access:)
READ_CONTROL
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
DEXTER2\jhudson:(DENY)(special access:)
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
NULL SID:(OI)(CI)(IO)(DENY)(special access:)
READ_CONTROL
FILE_READ_EA
FILE_EXECUTE
FILE_DELETE_CHILD
DEXTER2\jhudson:(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
DEXTER2\Domain Users:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
NT AUTHORITY\SYSTEM:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
BUILTIN\Administrators:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_READ_ATTRIBUTES
CREATOR OWNER:(OI)(CI)(IO)F
CREATOR GROUP:(OI)(CI)(IO)R
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
BUILTIN\Administrators:(OI)(CI)(IO)(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Everyone:(OI)(CI)(IO)R
DEXTER2\jhudson:(OI)(CI)F
icacls 输出:
E:\dev\Connect>icacls UnarchiveAllPatients
UnarchiveAllPatients NULL SID:(DENY)(Rc,REA,WEA,X,DC)
DEXTER2\jhudson:(DENY)(RD,WD,AD,REA,WEA,X,DC)
NULL SID:(OI)(CI)(IO)(DENY)(Rc,REA,X,DC)
DEXTER2\jhudson:(D,Rc,WDAC,WO,RA,WA)
DEXTER2\Domain Users:(RX,W,DC)
NT AUTHORITY\SYSTEM:(RX,W,DC)
BUILTIN\Administrators:(RX,W,DC)
Everyone:(Rc,S,RA)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(RX,W,DC)
BUILTIN\Administrators:(OI)(CI)(IO)(RX,W,DC)
Everyone:(OI)(CI)(IO)(RX)
DEXTER2\jhudson:(OI)(CI)(F)
答案1
ACL 显示您被拒绝了目录上的大多数基本权限,例如FILE_READ_DATA(允许您列出内容,类似于 Linux 上的 +r)。Cmd 在访问您要 cd 到的目录时会请求此权限,但由于拒绝而失败。
但是,只要您以管理员身份运行,Cygwin 就会启用SeBackupPrivilege和特权位。这些特权允许您SeRestorePrivilege旁路大多数 ACL 检查;与 Linux 上的 root(CAP_DAC_OVERRIDE)非常相似,只是在 Windows 上它们默认保持“保留但不活动”,而不是在 Linux 上 root 始终使它们处于活动状态。
523 /* Setting these rights at process startup allows processes running under
524 user tokens which are in the administrstors group to have root-like
525 permissions. */
526 /* Allow to access all files, independent of their ACL settings. */
527 set_privilege (token, SE_RESTORE_PRIVILEGE, true);
528 set_privilege (token, SE_BACKUP_PRIVILEGE, true);
因此,任何基于 Cygwin 的进程都能够访问普通 Windows 程序无法访问的文件。(您可以使用 PSGallery 中的 PSPrivilege 模块在 PowerShell 中执行相同操作。)
不要使用 rsync 备份 Windows 文件;它将无法正确保留 ACL – 请使用 robocopy。
(不,我不知道为什么 Cygwin 显示你拥有rwx而 ACL 却另有说明。)
(另一个被拒绝的权限,FILE_EXECUTE在技术上在 Windows 上也具有与 Linux 上的 +x 相同的“进入目录”含义;只是现代 Windows 版本忽略了它。)