(Administrator: Command Prompt)
E:\dev\Connect>d:\cygwin64\bin\sh
$ PATH=/bin:$PATH
$ ls -l UnarchiveAllPatients
total 25
drwxr-x---+ 1 jhudson Domain Users 0 Dec 1 13:06 Bin
-rwxr-x---+ 1 jhudson Domain Users 297 Dec 1 12:25 UnarchiveAllPatients.vbproj.user
drwxr-x---+ 1 jhudson Domain Users 0 Dec 1 13:06 obj
$ cd UnarchiveAllPatients
$ ls
Bin UnarchiveAllPatients.vbproj.user obj
$ exit
E:\dev\Connect>cd UnarchiveAllPatients
Access is denied.
E:\dev\Connect>
我不明白。sh可以 cd 到该目录并像在该目录中一样运行,但cmd不能。
这是每晚进行备份的命令的结果rsync。
我的输出cacls似乎是错误的:
E:\dev\Connect>cacls UnarchiveAllPatients
E:\dev\Connect\UnarchiveAllPatients NULL SID:(DENY)(special access:)
READ_CONTROL
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
DEXTER2\jhudson:(DENY)(special access:)
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
NULL SID:(OI)(CI)(IO)(DENY)(special access:)
READ_CONTROL
FILE_READ_EA
FILE_EXECUTE
FILE_DELETE_CHILD
DEXTER2\jhudson:(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
DEXTER2\Domain Users:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
NT AUTHORITY\SYSTEM:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
BUILTIN\Administrators:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_READ_ATTRIBUTES
CREATOR OWNER:(OI)(CI)(IO)F
CREATOR GROUP:(OI)(CI)(IO)R
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
BUILTIN\Administrators:(OI)(CI)(IO)(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Everyone:(OI)(CI)(IO)R
DEXTER2\jhudson:(OI)(CI)F
icacls 输出:
E:\dev\Connect>icacls UnarchiveAllPatients
UnarchiveAllPatients NULL SID:(DENY)(Rc,REA,WEA,X,DC)
DEXTER2\jhudson:(DENY)(RD,WD,AD,REA,WEA,X,DC)
NULL SID:(OI)(CI)(IO)(DENY)(Rc,REA,X,DC)
DEXTER2\jhudson:(D,Rc,WDAC,WO,RA,WA)
DEXTER2\Domain Users:(RX,W,DC)
NT AUTHORITY\SYSTEM:(RX,W,DC)
BUILTIN\Administrators:(RX,W,DC)
Everyone:(Rc,S,RA)
CREATOR OWNER:(OI)(CI)(IO)(F)
CREATOR GROUP:(OI)(CI)(IO)(RX)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(RX,W,DC)
BUILTIN\Administrators:(OI)(CI)(IO)(RX,W,DC)
Everyone:(OI)(CI)(IO)(RX)
DEXTER2\jhudson:(OI)(CI)(F)
ACL 显示您被拒绝对该目录的最基本权限,例如
FILE_READ_DATA(它允许您列出内容,很像 Linux 上的 +r)。Cmd 在访问您要进入的目录时请求此权限,但由于拒绝而失败。然而,只要您以管理员身份运行, Cygwin 就会启用
SeBackupPrivilege和特权位。SeRestorePrivilege这些权限允许您绕过大多数 ACL 检查;与 Linux 上的 root (CAP_DAC_OVERRIDE) 非常相似,只是它们在 Windows 上默认保持“保留但不活动”状态,而不是 root 在 Linux 上始终让它们处于活动状态。因此,任何基于 Cygwin 的进程都能够访问普通 Windows 程序无法访问的文件。(您可以使用 PSGallery 中的 PSPrivilege 模块在 PowerShell 中执行相同的操作。)
不要使用rsync来备份Windows文件;它不会正确保留 ACL – 使用 robocopy。
(不,我不知道为什么 Cygwin 会向您显示
rwxACL 另有说明。)(另一个被拒绝的权限,
FILE_EXECUTE从技术上讲,Windows 上的“进入目录”含义与 Linux 上的 +x 相同;只是现代 Windows 版本忽略了它。)