X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Wed, 29 Feb 2012 10:25:39 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail.
Message-ID: <20120229092539.GP23440@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <4F4BA00E DOT 2020806 AT prover DOT com> <20120228125601 DOT GC23440 AT calimero DOT vinschen DOT de> <CAG_2cTnWAJpdHw5m8f_VSAmRy9-R-_C6qfD74Me7Sv7OSjwRkw AT mail DOT gmail DOT com> <20120228141754 DOT GA6518 AT calimero DOT vinschen DOT de> <20120228203956 DOT GD6761 AT jethro DOT local DOT lan> <20120228214136 DOT GM23440 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20120228214136.GM23440@calimero.vinschen.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Feb 28 22:41, Corinna Vinschen wrote:
> The culprit is setup.exe apparently.  If it sets 1777 permissions, it
> uses the same permissions for the inheritable default permissions.  It
> should remove the write bits before creating the inheritable default
> permissions.  In Cygwin this is controlled by the umask, but setup
> doesn't know about a umask.
> 
> So, the correct solution is to change setup.exe to create less dangerous
> default permissions for the Win32 apps in case of 1777 dirs.  That makes
> the tmp/temp stuff in etc/profile unnecessary.

I just applied a fix to setup so that the default permissions for dirs
created with the sticky bit (t) set don't contain write permissions for
group and other.  I see to it that it will be uploaded to cygwin.com
shortly.

> The *big* problem are the already existing /tmp dirs with bad permissions
> throughout the Cygwin users.
> 
> David, instead of setting tmp/temp, What about adding the following line
> to /etc/profile?
> 
>   setfacl -m d:g::r-x,d:o:r-x /home /tmp /usr/tmp /var/log /var/run /var/tmp 2>/dev/null
> 
> That sets the list of directories created with 1777 permissions by
> setup.exe itself to more sane permissions.  Maybe it could be combined
> with a marker file, along these lines:
> 
>   if [ ! -f /etc/.177fix ]
>   then
>     setfacl -m d:g::r-x,d:o:r-x /home /tmp /usr/tmp /var/log /var/run /var/tmp 2> /dev/null && touch /etc/.177fix
>   fi

That should have been /etc/.1777fix, of course.  I think something like
this is necessary since it makes sure that setfacl is called once by a
user with the right permissions and then it's just ignored ever after.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple