CSIH file permission tests on non-NTFS broken (was Re: ssh-host-config script fails)

Charles Wilson cygwin@cwilson.fastmail.fm
Thu Jul 31 04:54:00 GMT 2008 

Corinna Vinschen wrote:
>> On Jul 23 18:34, Corinna Vinschen wrote:
>>> On Jul 23 11:25, Matt Kemmerer wrote:
>>>> Administrator@ics-dp35xppro ~
>>>> $ ssh-host-config
>>>> *** Warning: The owner and the Administrators need
>>>> *** Warning: to have .w. permission to /var/run.
>>>> *** Warning: Here are the current permissions:
>>>> *** Warning: drwxr-xr-x 2 Administrator None 0 Jul 23 10:21 /var/run
>>>> *** Warning: Please change the user and/or group ownership and
>>>> *** Warning: permissions of /var/run.
>>>> *** ERROR: Problem with /var/run directory. Exiting.

>>> Eeek!  You're using FAT32 on a NT based OS?  This isn't such a good
>>> idea, actually.  There's no security and no permission settings on FAT.
>>> The csih script seems to miss the fact that the directory is on a
>>> non-NTFS drive which isn't capable of setting permissions.  Given that
>>> you're installing ssh, which is a paranoid secure playing package,
>>> that's actually a good idea.  Ever thought of running convert.exe on
>>> your drive? ;) 
>>>
>>> Nevertheless that should be changed in csih.
>> Could you have a look into this, please?

I'm not sure what you think csih should do, here.  The whole point is 
that we know services require certain things of the system directories, 
or they won't work.  Are you suggesting that csih just ignore that, and 
pretend to correctly install sshd on a FAT32 system?

Only to have sshd itself fail for some hard-for-a-newbie-to-diagnose reason?

Perhaps, rather than checking:
    # daemons need access to subdirs, so need traverse permissions...
    if ! csih_check_dir_perms "${LOCALSTATEDIR}" d..x..x..x ; then ERROR

    # daemons need write access to /var/run to create pid file
    if ! csih_check_access "${LOCALSTATEDIR}/run" .w. ; then ERROR

    # daemons need write access to /var/log if they do their own logging
    if ! csih_check_access "${LOCALSTATEDIR}/log" .w. ; then ERROR

    # daemons need access to /var/empty for chrooting
    if ! csih_check_access "${LOCALSTATEDIR}/empty" r.x ; then ERROR

in _csih_setup() (which is called by the main csih entry points), those 
permission checks could be delegated to the foo_install scripts which 
know more about their own specific requirements, rather than the fairly 
general requirements above?

Or are you saying that csih should still perform those general checks, 
but first:
    if the drive on which ${LOCALSTATEDIR} lives is
      (1) FAT32
      (2) nontsec
      (3) on a server and nosmbntsec
    then issue a big fat warning, and in that case skip the
    permissions tests? What about 1.7 and the acl flag?

ASIDE:
    csih_check_basic_mounts
    csih_check_sys_mount
might need to be revisited for 1.7


FYI, the other changes to csih that you requested are actually rather 
more involved than you would suspect.  I've worked on it a bit, but 
haven't been able to test it yet.  Stay tuned.

--
Chuck

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list