base-passwd sets weird permissions

Corinna Vinschen corinna-cygwin@cygwin.com
Wed Apr 22 19:02:00 GMT 2009 

Hi John,

I just realized that the paswd-grp.sh postinstall script in the
base-passwd package sets unsecure permissions on /etc/passwd and
/etc/group.  Is there any good reason to chmod 777 these files?
I don't see any, especially not execute permission.

chmod 644 would be the correct setting, afaics.

We can also get rid of the sed calls to remove the line with :S-1-1-0:
from passwd and group.  These entries aren't generated for many many
years.

Last but not least, the file group should be set to the Administrators
group by default.

I would like to suggest the following patch:

--- passwd-grp.sh.ORIG	2009-04-22 20:44:42.521387200 +0200
+++ passwd-grp.sh	2009-04-22 20:59:04.167788000 +0200
@@ -1,24 +1,27 @@
 #!/bin/sh
 
+created_passwd=no
+created_group=no
+
 if [ ! -e /etc/passwd -a ! -L /etc/passwd ] ; then
   /bin/mkpasswd -l -c > /etc/passwd
-  /bin/chmod 777 /etc/passwd
+  /bin/chmod 644 /etc/passwd
+  created_passwd=yes
 fi
 
 if [ ! -e /etc/group -a ! -L /etc/group ] ; then
   /bin/mkgroup -l -c > /etc/group
-  /bin/chmod 777 /etc/group
+  /bin/chmod 644 /etc/group
+  created_group=yes
 fi
 
-cp -f /etc/passwd /tmp/passwd.mkpasswd && \
-( [ -w /etc/passwd ] || chmod --silent a+w /etc/passwd ; ) && \
-sed -e '/:S-1-1-0:/d' /tmp/passwd.mkpasswd > /etc/passwd && \
-chmod --silent --reference=/etc/group /etc/passwd
-rm -f /tmp/passwd.mkpasswd
-
-cp -f /etc/group /tmp/group.mkgroup && \
+cp -fp /etc/group /tmp/group.mkgroup && \
 ( [ -w /etc/group ] || chmod --silent a+w /etc/group ; ) && \
 echo "root:S-1-5-32-544:0:" > /etc/group && \
-sed -e '/:S-1-1-0:/d' -e '/root:S-1-5-32-544:0:/d' /tmp/group.mkgroup >> /etc/group && \
+sed -e '/root:S-1-5-32-544:0:/d' /tmp/group.mkgroup >> /etc/group && \
 chmod --silent --reference=/etc/passwd /etc/group
 rm -f /tmp/group.mkgroup
+
+# Deferred to be sure root group entry exists
+[ "$created_passwd" = "yes" ] && /bin/chgrp --silent root /etc/passwd
+[ "$created_group" = "yes"  ] && /bin/chgrp --silent root /etc/group


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

More information about the Cygwin-apps mailing list