[ITA] - base-files base-passwd

Andy Koppe andy.koppe@gmail.com
Fri Sep 17 20:44:00 GMT 2010


On 17 September 2010 15:50, Corinna Vinschen wrote:
>> 5 As stated in the referenced thread, there is no way to prevent attackers
>> to create a user's home dir before she/he logins the first time other than
>> disallowing anyone but the Administrator to do that.
>> If the proposed workaround (issuing a warning if $HOME already exists and
>> is owned by someone else) is considered enough, I'll include it.
>> I haven't thought of anything better than that.
>
> It's good enough for a start.  If we come up with a better solution,
> we can still change it, right?

I think there's little point in just adding a warning actually,
because that wouldn't stop prepared startup scripts in the user's fake
home from being sourced.

Also, there likely are some users whose home directory is owned by
someone else for innocuous reasons, e.g. because they themselves
created it when they were logged in as administrator. And of course
they wouldn't take kindly to a warning, and even less to a fatal
error.

If that sounds as if I don't know what should be done about this,
that's because I don't.

Andy



More information about the Cygwin-apps mailing list