| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Spam-Check-By: | sourceware.org |
| Date: | Thu, 1 Mar 2012 11:08:20 +0100 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail. |
| Message-ID: | <20120301100820.GC2257@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <70952A932255A2489522275A628B97C3129F49F7 AT xmb-sjc-233 DOT amer DOT cisco DOT com> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <70952A932255A2489522275A628B97C3129F49F7@xmb-sjc-233.amer.cisco.com> |
| User-Agent: | Mutt/1.5.21 (2010-09-15) |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Unsubscribe: | <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
On Feb 29 13:36, Matt Seitz (matseitz) wrote:
> "Corinna Vinschen" wrote:
> > setfacl -m d:g::r-x,d:o:r-x /home /tmp /usr/tmp /var/log /var/run
> /var/tmp 2>/dev/null
>
> Will that cause problems if I have:
>
> $ mount | grep home
> C:/Documents and Settings on /home type ntfs (binary)
> $ getfacl /home
> # file: /home
> # owner: Administrators
> # group: Domain Users
> user::rwx
> group::---
> group:SYSTEM:rwx
> group:Users:r-x
> group:Power Users:r-x
> mask:rwx
> other:r-x
> default:user::rwx
> default:user:Administrators:rwx
> default:group::---
> default:group:SYSTEM:rwx
> default:group:Users:r-x
> default:group:Power Users:r-x
> default:mask:rwx
> default:other:r-x
> $
I don't know if that's a problem for you, but it would change the
settings to
$ getfacl /home
[...]
default:group::r-x <---
[...]
$
Maybe it's better if the code tests the permissions first, along these
lines:
# Fix a problem introduced by older versions of setup.exe
# Directories with 1777 permissions were erroneously created
# with 777 inheritable default permissions. This is a security
# problem for non-Cygwin apps using these folders. This is
# especially tragic in case of /tmp.
if [ ! -f /etc/.1777fix ]
then
for file in /home /tmp /usr/tmp /var/log /var/run
do
# We test if the default group or other permissions are rwx.
# If so, it's dangerous and highly likely that these are still
# the permissions set by setup.exe
getfacl "${file}" | grep -Eq 'default:(group:|other):rwx' \
&& setfacl -m d:g::r-x,d:o:r-x "${file}" 2>/dev/null \
&& touch /etc/.1777fix
done
fi
That should be sufficiently safe.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |