Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT cygwin DOT com Delivered-To: mailing list cygwin-developers AT cygwin DOT com Date: Tue, 22 Oct 2002 19:57:58 -0400 From: Christopher Faylor To: cygwin-developers AT cygwin DOT com Subject: Re: Avoiding /etc/passwd and /etc/group scans Message-ID: <20021022235758.GP6429@redhat.com> Reply-To: cygwin-developers AT cygwin DOT com Mail-Followup-To: cygwin-developers AT cygwin DOT com References: <20021022181947 DOT GA4729 AT redhat DOT com> <3DB5A076 DOT ABAFF076 AT ieee DOT org> <20021022191217 DOT GD4828 AT redhat DOT com> <3DB5AB53 DOT B434ED90 AT ieee DOT org> <20021022202004 DOT GA6995 AT redhat DOT com> <3DB5BA56 DOT A76B6463 AT ieee DOT org> <20021022211930 DOT GF6429 AT redhat DOT com> <1035321750 DOT 1455 DOT 14 DOT camel AT lifelesswks> <20021022213133 DOT GI6429 AT redhat DOT com> <3DB5C7B1 DOT B87C8364 AT ieee DOT org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3DB5C7B1.B87C8364@ieee.org> User-Agent: Mutt/1.5.1i On Tue, Oct 22, 2002 at 05:48:33PM -0400, Pierre A. Humblet wrote: >Christopher Faylor wrote: >> >> Why would that matter? If setting reasonable acls is going to hurt the >> CYGWIN=nontsec case then that's not good either. > >Setting reasonable acls has no negative impact, neither with ntsec nor >with nontsec. nontsec has two main effects; I thought as much. I didn't think that setup decisions were gated on CYGWIN=ntsec being the default. >1) It reports the modes blindly as 644, while making some effort about the >x bits, *irrespective* of the Windows access rights. > >2) It always reports success on chown, chmod etc... while actually >doing nothing (except sometimes setting the files readonly). Right. I wonder if we should different levels of ntsec operation. Would it make sense to recognize file permissions at ntsec=1, file ownership at ntsec=3, and setuid at ntsec=4, or something like that? >>>Here's a short term workaround, until we fix setup.exe. >>> >>>Add a .bat file as a postinstall script that scans the cygwin tree and >>>sets executable rights to .exe and .dll files using the cacls command. >> >>If it is that simple, then sure. Pierre is this doable? > >Surely yes if the user running setup is a member of the administrators >group and the drive is local. Answer probably more complicated if he >isn't in administrators or the files are on a network drive. You can >use cygwin programs to do that, if they were extracted with x >permission and ntsec is on. > >I am completely in the dark about what your ultimate goal is. was >there an earlier discussion? I think the goal was to ensure that .exe files are always executable. cgf