X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Thu, 1 Mar 2012 11:08:20 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail.
Message-ID: <20120301100820.GC2257@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <70952A932255A2489522275A628B97C3129F49F7 AT xmb-sjc-233 DOT amer DOT cisco DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <70952A932255A2489522275A628B97C3129F49F7@xmb-sjc-233.amer.cisco.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Feb 29 13:36, Matt Seitz (matseitz) wrote:
> "Corinna Vinschen" wrote:
> >   setfacl -m d:g::r-x,d:o:r-x /home /tmp /usr/tmp /var/log /var/run
> /var/tmp 2>/dev/null
> 
> Will that cause problems if I have:
> 
> $ mount | grep home
> C:/Documents and Settings on /home type ntfs (binary)
> $ getfacl /home
> # file: /home
> # owner: Administrators
> # group: Domain Users
> user::rwx
> group::---
> group:SYSTEM:rwx
> group:Users:r-x
> group:Power Users:r-x
> mask:rwx
> other:r-x
> default:user::rwx
> default:user:Administrators:rwx
> default:group::---
> default:group:SYSTEM:rwx
> default:group:Users:r-x
> default:group:Power Users:r-x
> default:mask:rwx
> default:other:r-x
> $

I don't know if that's a problem for you, but it would change the
settings to

  $ getfacl /home
  [...]
  default:group::r-x                 <---
  [...]
  $

Maybe it's better if the code tests the permissions first, along these
lines:

  # Fix a problem introduced by older versions of setup.exe
  # Directories with 1777 permissions were erroneously created
  # with 777 inheritable default permissions.  This is a security
  # problem for non-Cygwin apps using these folders.  This is
  # especially tragic in case of /tmp.
  if [ ! -f /etc/.1777fix ]
  then
    for file in /home /tmp /usr/tmp /var/log /var/run
    do
      # We test if the default group or other permissions are rwx.
      # If so, it's dangerous and highly likely that these are still
      # the permissions set by setup.exe
      getfacl "${file}" | grep -Eq 'default:(group:|other):rwx' \
      && setfacl -m d:g::r-x,d:o:r-x "${file}" 2>/dev/null \
      && touch /etc/.1777fix
    done
  fi

That should be sufficiently safe.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple