X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Fri, 2 Mar 2012 13:41:03 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: base-files: New files to fix permission issues (was Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail.)
Message-ID: <20120302124103.GB3795@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <70952A932255A2489522275A628B97C3129F49F7 AT xmb-sjc-233 DOT amer DOT cisco DOT com> <20120301100820 DOT GC2257 AT calimero DOT vinschen DOT de> <20120302104605 DOT GF14404 AT calimero DOT vinschen DOT de> <4F50B62E DOT 5090201 AT redhat DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <4F50B62E.5090201@redhat.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Mar  2 04:59, Eric Blake wrote:
> On 03/02/2012 03:46 AM, Corinna Vinschen wrote:
> > /etc/profile.d/1777fix.sh:
> > 
> >   #!/bin/bash
> 
> As long as we're requiring bash,...
> [...]
> >       if getfacl "${file}" | grep -Eq 'default:(group:|other):rwx'
> 
> Is it worth converting this to case/esac for one fewer child process?
> 
> >       then
> > 	cnt=$(expr $cnt + 1)
> 
> ...this should be written cnt=$((cnt + 1))
> 
> > 	setfacl -m d:g::r-x,d:o:r-x "${file}" 2>/dev/null \
> > 	&& success=$(expr $success + 1)
> 
> and this as success=$((success + 1))
> 
> >       fi
> >     done
> >     # If no file needed treatment, or if all setfacl calls succeeded,
> >     # create the
> 
> Incomplete comment.
> 
> >     [ $cnt -eq  $success ] && touch "${GUARDFILE}"
> >   fi

Thanks for the review.  Like this?

  #!/bin/bash
  # Fix a problem introduced by older versions of setup.exe
  # Directories with 1777 permissions were erroneously created
  # with 777 inheritable default permissions.  This is a security
  # problem for non-Cygwin apps using these folders.  This is
  # especially tragic in case of /tmp.

  GUARDFILE="/etc/.1777fix"
  DIRLIST="/home /tmp /usr/tmp /var/log /var/run"

  if [ ! -f "${GUARDFILE}" ]
  then
    cnt=0
    success=0
    for file in ${DIRLIST}
    do
      # We test if the default group or other permissions are rwx.
      # If so, it's dangerous and highly likely that these are still
      # the permissions set by setup.exe
      case $(getfacl "${file}") in
      *default:group::rwx* | *default:other:rwx* )
	cnt=$(($cnt + 1))
	setfacl -m d:g::r-x,d:o:r-x "${file}" 2>/dev/null \
	&& success=$(($success + 1))
	;;
      esac
    done
    # If no file needed treatment, or if all setfacl calls succeeded,
    # create the guard file.
    [ $cnt -eq  $success ] && touch "${GUARDFILE}"
  fi


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple