This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1


On Aug 21 13:14, Charles Wilson wrote:
> Corinna Vinschen wrote:
> > I'm about to create a new openssh package for 1.7 with fixes along the
> > lines of what you sent in your OP.
> > 
> > While I'm at it, I see that there's a bit of dual work in the
> > csih-0.1.7 script and the ssh-host-config script:
> 
> So I was also trying to update my iu-config script to use the latest
> csih, and ran into an interesting behavior, which leads to a question.
> [...]
> *** Warning: The owner and the Administrators need
> *** Warning: to have rwxr.xr.x permission to /etc/inetd.d.
> *** Warning: Here are the current permissions:
> *** Warning: drwxrwxr-x+ 2 Administrator Users 0 May  2 20:21 /etc/inetd.d
> *** Warning: Please change the user and/or group ownership and
> *** Warning: permissions of /etc/inetd.d.
> 
> Now, "drwxrwxr-x+" matches the specified regex "rwxr.xr.x" (after
> csih_check_access prepends "^.").  The warning is triggered by:
> 
> (some test succees, but):
>     # There exists an extended ACL entry for the Administrators group, with
>     # the desired permissions. However, extended ACL entries are masked by
>     # the chmod bits for other, so we have to check that 'other' ALSO has at
>     # least the desired permissions. Otherwise, notify.
>     [ -z "$(echo "$ls_result" | sed -n /^......."$perm"/p)" ] && notify=1
>   fi
> 
> There are actually two questions: (a) should csih_check_access be
> checking that the Administrators group has the desired access?, and (b)
> are extended ACLs *actually* masked by the "other" bits?

a) Actually, since all file access is using backup privileges,
   administrators typically have access anyway.  But we don't know if
   admins on a given installation actually *have* backup privileges,
   given that you can remove them from any account.  So, I think the
   test makes still sense, sort of.  From a educational perspective at
   least :)

b) No.  ACCESS_ALLOW_ACEs permissions in the DACL are additive.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]