| delorie.com/archives/browse.cgi | search |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sources.redhat.com/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| X-pair-Authenticated: | 149.225.184.13 |
| From: | "Karsten Fleischer" <K DOT Fleischer AT omnium DOT de> |
| To: | <cygwin AT cygwin DOT com> |
| Subject: | RE: ksh on cygwin |
| Date: | Fri, 11 Jan 2002 02:04:47 +0100 |
| Message-ID: | <DIENLECHGMDAEJHGMEBCIEALCBAA.K.Fleischer@omnium.de> |
| MIME-Version: | 1.0 |
| X-Priority: | 3 (Normal) |
| X-MSMail-Priority: | Normal |
| X-Mailer: | Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) |
| X-MimeOLE: | Produced By Microsoft MimeOLE V5.00.2919.6700 |
| In-Reply-To: | <20020110183618.GD26493@redhat.com> |
| Importance: | Normal |
> >>OK, more detailed. I allow only absolute pathes in $SHELL and don't > >>allow any *csh. If superuser then only shells from [/usr][/local]/bin > >>are considered trusted shells. If not superuser shells from other > >>directories are allowed, but if uid != euid or gid != egid the shell > >>and the directory where it resides must not be writable. Fall back > >>value is /bin/sh. > > > >But, uhm, what exactly is a `superuser' from your point of view? We > >don't have that concept except for SYSTEM as _the_ user which is able > >to change user context w/o changing security policies. And on 9x/Me... > > It sounds like all of this is pretty non-standard, AFAICT. I can see > why you'd do something like this but I don't think there is any reason > to divert cygwin in this direction at this point in its life. It's > a pretty major change. It's not a major change. SUSv2 doesn't say that you have to use /bin/sh for a shell. It even says that $SHELL can name the user's favorite shell. I know that you always have trouble with users who copy /bin/bash to /bin/sh, it's a monthly issue on the mailing list. My patch would solve this in an easy way. Regarding the security issues, as Corinna pointed out there's no "superuser" with uid == 0, so the things I proposed above can be dropped. Karsten -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |