/home security problem

Andy Koppe andy.koppe@gmail.com
Thu Sep 2 21:22:00 GMT 2010

Following the recent reports about permission problems, I did a fresh
test install as an administrator and then poked around as an ordinary
user trying to write or delete stuff that I shouldn't be able to. I
didn't find anything untoward, except for the following issue.

The /home directory has rwxrwxrwt rights. This allows anyone to create
directories and files in /home, but due to the 'sticky' bit
represented by the 't' at the end, only directory/file owners can
delete them. So this allows /etc/profile to create a user's home
directory, without allowing users to remove other users' home

Trouble is, users can create directories with any name in /home,
including directories with the name of another user who hasn't yet
logged in. When that user eventually does log in, (s)he'll end up with
a home directory owned by someone else. This even works for
administrators, i.e. I ended up being able as an ordinary user to
delete files in an administrator's home directory.

I've got no idea how to fix that short of changing the /home
permissions to 775 and hence requiring an administrator to create any
home directories (which of course is what happens on Linux).


More information about the Cygwin-developers mailing list