rsync windows acl

Ryan Malayter malayter at
Fri Apr 17 16:20:50 GMT 2009

On Thu, Apr 16, 2009 at 6:40 AM, David de Lama <david.delama at> wrote:
> There are two opportunities for information loss in the ACL conversion:
> - PSIX ACLs support only read, write, and execute permissions. Thus,
> aspects of Windows ACLs that cannot be represented by a combination of
> read, write, and execute (often shown as "Special Permissions" in the
> Windows ACL editor) will be lost.

I assume youare talking about the "container inherit/Object inherit"
concept in Windows ACLs that cannot be replicated with POSIX. There
are also permissions combinations like "list directory without read",
"create files but no write to other files", etc.

All of these concepts are available with NFSv4-style ACLs on UNIX-like
platforms. But "available" and "built-in with pervasive tools support"
are two very different things. Event mappiong between Windows ACLs and
NFSv4 ACLs isn't 100%.

Rsync's man page inidcates support for ACLs, but does not mention what
ACL model is supported. One would assume NFSv4-style, but it could
also be AFS style or something else. Cygwin supports on-the-fly ACL
mapping to Solaris style ACLs, which I believe are the same as NFSv4:

> - Rsync uses Unix-like UIDs and GIDs. To get Cygwin to convert
> Windows users and groups to and from UIDs and GIDs in a meaningful
> fashion, you must assign UIDs and GIDs to all the users on the system
> in the /etc/passwd and /etc/group files. See the Cygwin page I linked
> above for much more information. Additionally, if you are copying
> from one machine to another, rsync gives you the option to preserve
> users and groups by UID/GID or by Cygwin name (which may or may not
> match the Windows name depending on how you did /etc/passwd and
> /etc/group); see rsync's option.

Presumably, if rsync supports ACLs, it supports the NFSv4 style
"user at domain" or "group at domain" identifiers instead of or in addition
to UID/GIDs. There's not much work going from there to supporting the
windows security ID, which is just a GUID of the form
"S-1-5-21-1307432495-4323513810-0945580164-1907". In windows, the
mounting system maps ACL SIDs to usernames and back. Like *NIX, are a
few "well-known" SIDs that are the same on every system. For example,
LOCALSYSTEM has a defined SID, just as root is always mapped to user 0
on *nix.

So, it seems like most of the infrastructure is there for supporting
Windows ACLs in rsync cwrsync. However, it seems as though someobody
needs to do the code. Being a bonehead sysadmin type and incapable of
that coding myself, I can only help with testing and documentation.

More information about the rsync mailing list