X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Tue, 28 Feb 2012 22:41:36 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail.
Message-ID: <20120228214136.GM23440@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <4F4BA00E DOT 2020806 AT prover DOT com> <20120228125601 DOT GC23440 AT calimero DOT vinschen DOT de> <CAG_2cTnWAJpdHw5m8f_VSAmRy9-R-_C6qfD74Me7Sv7OSjwRkw AT mail DOT gmail DOT com> <20120228141754 DOT GA6518 AT calimero DOT vinschen DOT de> <20120228203956 DOT GD6761 AT jethro DOT local DOT lan>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20120228203956.GD6761@jethro.local.lan>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Feb 28 21:39, David Sastre Medina wrote:
> On Tue, Feb 28, 2012 at 03:17:54PM +0100, Corinna Vinschen wrote:
> > On Feb 28 08:51, Jon Clugston wrote:
> > > Just a guess, but it does look suspiciously like the name of an
> > > environment variable.  Wasn't there some discussion lately about
> > > differing case environment variables ("tmp" as opposed to "TMP")?
> > 
> > Dead on, thanks!  The definitions of tmp and temp in /etc/profile result
> > in a double definition of the %TMP% and %TEMP% dos variables from the
> > .Net applications POV and it's too dumb to handle that gracefully.
> > 
> > So the solution is, either we drop the tmp and temp definitions in
> > /etc/profile, or old .net apps should be started only after calling
> > `unset tmp temp' in bash.
> > 
> > Btw., tmp and temp are not preserved this way in tcsh's profile scripts.
> > So I'm wondering why we do it in /etc/profile.  Can somebody give me a
> > management summary?
> 
> A while back (about the 3.x -> 4.x changes in base-files), it was
> agreed to unset both TMP and TEMP and set them to /tmp.
> A user concerned about the security of files owned by windows native 
> applications started within cygwin, reported that those files were
> created with 777 perms under /tmp, making it trivial for other users to
> read/copy temps files easily.

There's something wrong with this picture.

The default permissions of /tmp are 1777 from the POSIX point of view.
The created files have default permissions which depend on the umask.
For native Win32 application, the default permissions depend on the
setting of the inheritable default permissions.  And these are set so
that the files have default perms of 0755: 

  $ getfacl /tmp
  # file: /tmp
  # owner: somebody
  # group: Administrators
  user::rwx
  group::rwx
  mask:rwx
  other:rwx
  default:user::rwx
  default:group::r-x
  default:other:r-x

This should be entirely sufficent.

[...time passes...]

Oh.  I think I see why this happens.  The inheritable default permissions
are NOT set as above, but rather they are set like this:

  # file: /tmp
  # owner: somebody
  # group: Administrators
  user::rwx
  group::rwx
  mask:rwx
  other:rwx
  default:user::rwx
  default:group::rwx
  default:other:rwx

The culprit is setup.exe apparently.  If it sets 1777 permissions, it
uses the same permissions for the inheritable default permissions.  It
should remove the write bits before creating the inheritable default
permissions.  In Cygwin this is controlled by the umask, but setup
doesn't know about a umask.

So, the correct solution is to change setup.exe to create less dangerous
default permissions for the Win32 apps in case of 1777 dirs.  That makes
the tmp/temp stuff in etc/profile unnecessary.

The *big* problem are the already existing /tmp dirs with bad permissions
throughout the Cygwin users.

David, instead of setting tmp/temp, What about adding the following line
to /etc/profile?

  setfacl -m d:g::r-x,d:o:r-x /home /tmp /usr/tmp /var/log /var/run /var/tmp 2>/dev/null

That sets the list of directories created with 1777 permissions by
setup.exe itself to more sane permissions.  Maybe it could be combined
with a marker file, along these lines:

  if [ ! -f /etc/.177fix ]
  then
    setfacl -m d:g::r-x,d:o:r-x /home /tmp /usr/tmp /var/log /var/run /var/tmp 2> /dev/null && touch /etc/.177fix
  fi

In the meantime I'll fix setup to create less dangerous default
permissions in the 1777 case.  Sigh, if I only had observed the issue
more closely when it cropped up the first time :(


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple