On Mar 2 04:59, Eric Blake wrote:
> On 03/02/2012 03:46 AM, Corinna Vinschen wrote:
> > /etc/profile.d/1777fix.sh:
> >
> > #!/bin/bash
>
> As long as we're requiring bash,...
> [...]
> > if getfacl "${file}" | grep -Eq 'default:(group:|other):rwx'
>
> Is it worth converting this to case/esac for one fewer child process?
>
> > then
> > cnt=$(expr $cnt + 1)
>
> ...this should be written cnt=$((cnt + 1))
>
> > setfacl -m d:g::r-x,d:o:r-x "${file}" 2>/dev/null \
> > && success=$(expr $success + 1)
>
> and this as success=$((success + 1))
>
> > fi
> > done
> > # If no file needed treatment, or if all setfacl calls succeeded,
> > # create the
>
> Incomplete comment.
>
> > [ $cnt -eq $success ] && touch "${GUARDFILE}"
> > fi
Thanks for the review. Like this?
#!/bin/bash
# Fix a problem introduced by older versions of setup.exe
# Directories with 1777 permissions were erroneously created
# with 777 inheritable default permissions. This is a security
# problem for non-Cygwin apps using these folders. This is
# especially tragic in case of /tmp.
GUARDFILE="/etc/.1777fix"
DIRLIST="/home /tmp /usr/tmp /var/log /var/run"
if [ ! -f "${GUARDFILE}" ]
then
cnt=0
success=0
for file in ${DIRLIST}
do
# We test if the default group or other permissions are rwx.
# If so, it's dangerous and highly likely that these are still
# the permissions set by setup.exe
case $(getfacl "${file}") in
*default:group::rwx* | *default:other:rwx* )
cnt=$(($cnt + 1))
setfacl -m d:g::r-x,d:o:r-x "${file}" 2>/dev/null \
&& success=$(($success + 1))
;;
esac
done
# If no file needed treatment, or if all setfacl calls succeeded,
# create the guard file.
[ $cnt -eq $success ] && touch "${GUARDFILE}"
fi
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
