This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: base-files: New files to fix permission issues (was Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail.)

From: Eric Blake <eblake at redhat dot com>
To: cygwin at cygwin dot com
Date: Fri, 02 Mar 2012 04:59:42 -0700
Subject: Re: base-files: New files to fix permission issues (was Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail.)
Openpgp: url=http://people.redhat.com/eblake/eblake.gpg
References: <70952A932255A2489522275A628B97C3129F49F7@xmb-sjc-233.amer.cisco.com> <20120301100820.GC2257@calimero.vinschen.de> <20120302104605.GF14404@calimero.vinschen.de>

On 03/02/2012 03:46 AM, Corinna Vinschen wrote:
> On Mar  1 11:08, Corinna Vinschen wrote:
>>   # Fix a problem introduced by older versions of setup.exe
>>   [...]
> 
> David, ping?  Can we add the below two files to base-files asap and
> remove the tmp/temp workaround, please?
> 
> /etc/profile.d/1777fix.csh:
> 
>   #!/bin/tcsh
>   # Fix a problem introduced by older versions of setup.exe
>   # Read comments in /etc/profile.d/1777fix.sh for more information.
>   set GUARDFILE = "/etc/.1777fix"
>   if ( ! -f "${GUARDFILE}" ) then
>     /bin/bash /etc/profile.d/1777fix.sh
>   endif
> 
> /etc/profile.d/1777fix.sh:
> 
>   #!/bin/bash

As long as we're requiring bash,...

>   # Fix a problem introduced by older versions of setup.exe
>   # Directories with 1777 permissions were erroneously created
>   # with 777 inheritable default permissions.  This is a security
>   # problem for non-Cygwin apps using these folders.  This is
>   # especially tragic in case of /tmp.
>   GUARDFILE="/etc/.1777fix"
>   DIRLIST="/home /tmp /usr/tmp /var/log /var/run"
>   if [ ! -f "${GUARDFILE}" ]
>   then
>     cnt=0
>     success=0
>     for file in ${DIRLIST}
>     do
>       # We test if the default group or other permissions are rwx.
>       # If so, it's dangerous and highly likely that these are still
>       # the permissions set by setup.exe
>       if getfacl "${file}" | grep -Eq 'default:(group:|other):rwx'

Is it worth converting this to case/esac for one fewer child process?

>       then
> 	cnt=$(expr $cnt + 1)

...this should be written cnt=$((cnt + 1))

> 	setfacl -m d:g::r-x,d:o:r-x "${file}" 2>/dev/null \
> 	&& success=$(expr $success + 1)

and this as success=$((success + 1))

>       fi
>     done
>     # If no file needed treatment, or if all setfacl calls succeeded,
>     # create the

Incomplete comment.

>     [ $cnt -eq  $success ] && touch "${GUARDFILE}"
>   fi
> 
> 
> Thanks,
> Corinna
> 

-- 
Eric Blake   eblake@redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: base-files: New files to fix permission issues (was Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail.)
  - From: Corinna Vinschen

References:
- Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail.
  - From: Corinna Vinschen
- base-files: New files to fix permission issues (was Re: 1.7.10/1.7.11: .Net programs started from a cygwin console may fail.)
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]