X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-6.9 required=5.0	tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
Message-ID: <4F50B62E.5090201@redhat.com>
Date: Fri, 02 Mar 2012 04:59:42 -0700
From: Eric Blake <eblake AT redhat DOT com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120216 Thunderbird/10.0.1
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: base-files: New files to fix permission issues (was Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail.)
References: <70952A932255A2489522275A628B97C3129F49F7 AT xmb-sjc-233 DOT amer DOT cisco DOT com> <20120301100820 DOT GC2257 AT calimero DOT vinschen DOT de> <20120302104605 DOT GF14404 AT calimero DOT vinschen DOT de>
In-Reply-To: <20120302104605.GF14404@calimero.vinschen.de>
OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig11AECBBC55786C2A13D6432B"
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

--------------enig11AECBBC55786C2A13D6432B
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 03/02/2012 03:46 AM, Corinna Vinschen wrote:
> On Mar  1 11:08, Corinna Vinschen wrote:
>>   # Fix a problem introduced by older versions of setup.exe
>>   [...]
>=20
> David, ping?  Can we add the below two files to base-files asap and
> remove the tmp/temp workaround, please?
>=20
> /etc/profile.d/1777fix.csh:
>=20
>   #!/bin/tcsh
>   # Fix a problem introduced by older versions of setup.exe
>   # Read comments in /etc/profile.d/1777fix.sh for more information.
>   set GUARDFILE =3D "/etc/.1777fix"
>   if ( ! -f "${GUARDFILE}" ) then
>     /bin/bash /etc/profile.d/1777fix.sh
>   endif
>=20
> /etc/profile.d/1777fix.sh:
>=20
>   #!/bin/bash

As long as we're requiring bash,...

>   # Fix a problem introduced by older versions of setup.exe
>   # Directories with 1777 permissions were erroneously created
>   # with 777 inheritable default permissions.  This is a security
>   # problem for non-Cygwin apps using these folders.  This is
>   # especially tragic in case of /tmp.
>   GUARDFILE=3D"/etc/.1777fix"
>   DIRLIST=3D"/home /tmp /usr/tmp /var/log /var/run"
>   if [ ! -f "${GUARDFILE}" ]
>   then
>     cnt=3D0
>     success=3D0
>     for file in ${DIRLIST}
>     do
>       # We test if the default group or other permissions are rwx.
>       # If so, it's dangerous and highly likely that these are still
>       # the permissions set by setup.exe
>       if getfacl "${file}" | grep -Eq 'default:(group:|other):rwx'

Is it worth converting this to case/esac for one fewer child process?

>       then
> 	cnt=3D$(expr $cnt + 1)

...this should be written cnt=3D$((cnt + 1))

> 	setfacl -m d:g::r-x,d:o:r-x "${file}" 2>/dev/null \
> 	&& success=3D$(expr $success + 1)

and this as success=3D$((success + 1))

>       fi
>     done
>     # If no file needed treatment, or if all setfacl calls succeeded,
>     # create the

Incomplete comment.

>     [ $cnt -eq  $success ] && touch "${GUARDFILE}"
>   fi
>=20
>=20
> Thanks,
> Corinna
>=20

--=20
Eric Blake   eblake AT redhat DOT com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--------------enig11AECBBC55786C2A13D6432B
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJPULYuAAoJEKeha0olJ0NqrzQH/1h7WaVfR0im0FuOTrkbV6A+
TUSL5tA7d8esWfpDvwzd/fmpRwDNahwWF2P5b5ukKsHS8t7w4cLmlwQrohi7bFgM
/PxewLDxozou5FxXkNNQGkMqfgrCrlDmtemhqLuRkBPJm2p5GdwYmXLnyhOH/UkH
6xTxLiPUiBNvE/mElgFjL5uOGpIU2Bu1Z6M8QgCkAkucEr9iO44gfcpOUL5SKzFz
2k2EX0KvPzJj1xx3ysJ9vwted728tcsBuFwSsysW9qzSlGN3X6P5v0cX3gP6anTN
n9MlnxsTOspoZlEphpxjVk7FrhnwQgctD1uRDRrFfmxkKckWtp/YAjWgEg3JbwQ=
=+QNl
-----END PGP SIGNATURE-----

--------------enig11AECBBC55786C2A13D6432B--