X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Thu, 21 Aug 2008 19:30:28 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1
Message-ID: <20080821173028.GA24882@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <announce DOT 48A789B6 DOT 3010103 AT cwilson DOT fastmail DOT fm> <48A78C6F DOT 2050403 AT cwilson DOT fastmail DOT fm> <20080820134209 DOT GN29104 AT calimero DOT vinschen DOT de> <48ADA260 DOT 3020901 AT cwilson DOT fastmail DOT fm>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <48ADA260.3020901@cwilson.fastmail.fm>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Aug 21 13:14, Charles Wilson wrote:
> Corinna Vinschen wrote:
> > I'm about to create a new openssh package for 1.7 with fixes along the
> > lines of what you sent in your OP.
> > 
> > While I'm at it, I see that there's a bit of dual work in the
> > csih-0.1.7 script and the ssh-host-config script:
> 
> So I was also trying to update my iu-config script to use the latest
> csih, and ran into an interesting behavior, which leads to a question.
> [...]
> *** Warning: The owner and the Administrators need
> *** Warning: to have rwxr.xr.x permission to /etc/inetd.d.
> *** Warning: Here are the current permissions:
> *** Warning: drwxrwxr-x+ 2 Administrator Users 0 May  2 20:21 /etc/inetd.d
> *** Warning: Please change the user and/or group ownership and
> *** Warning: permissions of /etc/inetd.d.
> 
> Now, "drwxrwxr-x+" matches the specified regex "rwxr.xr.x" (after
> csih_check_access prepends "^.").  The warning is triggered by:
> 
> (some test succees, but):
>     # There exists an extended ACL entry for the Administrators group, with
>     # the desired permissions. However, extended ACL entries are masked by
>     # the chmod bits for other, so we have to check that 'other' ALSO has at
>     # least the desired permissions. Otherwise, notify.
>     [ -z "$(echo "$ls_result" | sed -n /^......."$perm"/p)" ] && notify=1
>   fi
> 
> There are actually two questions: (a) should csih_check_access be
> checking that the Administrators group has the desired access?, and (b)
> are extended ACLs *actually* masked by the "other" bits?

a) Actually, since all file access is using backup privileges,
   administrators typically have access anyway.  But we don't know if
   admins on a given installation actually *have* backup privileges,
   given that you can remove them from any account.  So, I think the
   test makes still sense, sort of.  From a educational perspective at
   least :)

b) No.  ACCESS_ALLOW_ACEs permissions in the DACL are additive.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/