This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
base-passwd sets weird permissions
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin-apps at cygwin dot com
- Cc: John Morrison <john at morrison dot mine dot nu>
- Date: Wed, 22 Apr 2009 21:02:01 +0200
- Subject: base-passwd sets weird permissions
- Reply-to: cygwin-apps at cygwin dot com
Hi John,
I just realized that the paswd-grp.sh postinstall script in the
base-passwd package sets unsecure permissions on /etc/passwd and
/etc/group. Is there any good reason to chmod 777 these files?
I don't see any, especially not execute permission.
chmod 644 would be the correct setting, afaics.
We can also get rid of the sed calls to remove the line with :S-1-1-0:
from passwd and group. These entries aren't generated for many many
years.
Last but not least, the file group should be set to the Administrators
group by default.
I would like to suggest the following patch:
--- passwd-grp.sh.ORIG 2009-04-22 20:44:42.521387200 +0200
+++ passwd-grp.sh 2009-04-22 20:59:04.167788000 +0200
@@ -1,24 +1,27 @@
#!/bin/sh
+created_passwd=no
+created_group=no
+
if [ ! -e /etc/passwd -a ! -L /etc/passwd ] ; then
/bin/mkpasswd -l -c > /etc/passwd
- /bin/chmod 777 /etc/passwd
+ /bin/chmod 644 /etc/passwd
+ created_passwd=yes
fi
if [ ! -e /etc/group -a ! -L /etc/group ] ; then
/bin/mkgroup -l -c > /etc/group
- /bin/chmod 777 /etc/group
+ /bin/chmod 644 /etc/group
+ created_group=yes
fi
-cp -f /etc/passwd /tmp/passwd.mkpasswd && \
-( [ -w /etc/passwd ] || chmod --silent a+w /etc/passwd ; ) && \
-sed -e '/:S-1-1-0:/d' /tmp/passwd.mkpasswd > /etc/passwd && \
-chmod --silent --reference=/etc/group /etc/passwd
-rm -f /tmp/passwd.mkpasswd
-
-cp -f /etc/group /tmp/group.mkgroup && \
+cp -fp /etc/group /tmp/group.mkgroup && \
( [ -w /etc/group ] || chmod --silent a+w /etc/group ; ) && \
echo "root:S-1-5-32-544:0:" > /etc/group && \
-sed -e '/:S-1-1-0:/d' -e '/root:S-1-5-32-544:0:/d' /tmp/group.mkgroup >> /etc/group && \
+sed -e '/root:S-1-5-32-544:0:/d' /tmp/group.mkgroup >> /etc/group && \
chmod --silent --reference=/etc/passwd /etc/group
rm -f /tmp/group.mkgroup
+
+# Deferred to be sure root group entry exists
+[ "$created_passwd" = "yes" ] && /bin/chgrp --silent root /etc/passwd
+[ "$created_group" = "yes" ] && /bin/chgrp --silent root /etc/group
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat