This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [ITA] - base-files base-passwd


On 17 September 2010 15:50, Corinna Vinschen wrote:
>> 5 As stated in the referenced thread, there is no way to prevent attackers
>> to create a user's home dir before she/he logins the first time other than
>> disallowing anyone but the Administrator to do that.
>> If the proposed workaround (issuing a warning if $HOME already exists and
>> is owned by someone else) is considered enough, I'll include it.
>> I haven't thought of anything better than that.
>
> It's good enough for a start. ÂIf we come up with a better solution,
> we can still change it, right?

I think there's little point in just adding a warning actually,
because that wouldn't stop prepared startup scripts in the user's fake
home from being sourced.

Also, there likely are some users whose home directory is owned by
someone else for innocuous reasons, e.g. because they themselves
created it when they were logged in as administrator. And of course
they wouldn't take kindly to a warning, and even less to a fatal
error.

If that sounds as if I don't know what should be done about this,
that's because I don't.

Andy


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]