On Feb 29 13:36, Matt Seitz (matseitz) wrote:
> "Corinna Vinschen" wrote:
> > setfacl -m d:g::r-x,d:o:r-x /home /tmp /usr/tmp /var/log /var/run
> /var/tmp 2>/dev/null
>
> Will that cause problems if I have:
>
> $ mount | grep home
> C:/Documents and Settings on /home type ntfs (binary)
> $ getfacl /home
> # file: /home
> # owner: Administrators
> # group: Domain Users
> user::rwx
> group::---
> group:SYSTEM:rwx
> group:Users:r-x
> group:Power Users:r-x
> mask:rwx
> other:r-x
> default:user::rwx
> default:user:Administrators:rwx
> default:group::---
> default:group:SYSTEM:rwx
> default:group:Users:r-x
> default:group:Power Users:r-x
> default:mask:rwx
> default:other:r-x
> $
I don't know if that's a problem for you, but it would change the
settings to
$ getfacl /home
[...]
default:group::r-x <---
[...]
$
Maybe it's better if the code tests the permissions first, along these
lines:
# Fix a problem introduced by older versions of setup.exe
# Directories with 1777 permissions were erroneously created
# with 777 inheritable default permissions. This is a security
# problem for non-Cygwin apps using these folders. This is
# especially tragic in case of /tmp.
if [ ! -f /etc/.1777fix ]
then
for file in /home /tmp /usr/tmp /var/log /var/run
do
# We test if the default group or other permissions are rwx.
# If so, it's dangerous and highly likely that these are still
# the permissions set by setup.exe
getfacl "${file}" | grep -Eq 'default:(group:|other):rwx' \
&& setfacl -m d:g::r-x,d:o:r-x "${file}" 2>/dev/null \
&& touch /etc/.1777fix
done
fi
That should be sufficiently safe.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
