X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Message-ID: <48ADA260.3020901@cwilson.fastmail.fm>
Date: Thu, 21 Aug 2008 13:14:08 -0400
From: Charles Wilson <cygwin AT cwilson DOT fastmail DOT fm>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080708 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1
References: <announce DOT 48A789B6 DOT 3010103 AT cwilson DOT fastmail DOT fm> <48A78C6F DOT 2050403 AT cwilson DOT fastmail DOT fm> <20080820134209 DOT GN29104 AT calimero DOT vinschen DOT de>
In-Reply-To: <20080820134209.GN29104@calimero.vinschen.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Corinna Vinschen wrote:
> I'm about to create a new openssh package for 1.7 with fixes along the
> lines of what you sent in your OP.
> 
> While I'm at it, I see that there's a bit of dual work in the
> csih-0.1.7 script and the ssh-host-config script:

So I was also trying to update my iu-config script to use the latest
csih, and ran into an interesting behavior, which leads to a question.

I did this:

# Create /etc/inet.d
csih_make_dir "${SYSCONFDIR}/inetd.d" "Cannot create directory for inetd
configuration files."
chmod 775 "${SYSCONFDIR}/inetd.d" >& /dev/null || /bin/true
setfacl -m u:system:rwx "${SYSCONFDIR}/inetd.d" >& /dev/null || /bin/true
csih_check_access "${SYSCONFDIR}/inetd.d" "rwxr.xr.x"

Which, when executed, resulted in
*** Warning: The owner and the Administrators need
*** Warning: to have rwxr.xr.x permission to /etc/inetd.d.
*** Warning: Here are the current permissions:
*** Warning: drwxrwxr-x+ 2 Administrator Users 0 May  2 20:21 /etc/inetd.d
*** Warning: Please change the user and/or group ownership and
*** Warning: permissions of /etc/inetd.d.


Now, "drwxrwxr-x+" matches the specified regex "rwxr.xr.x" (after
csih_check_access prepends "^.").  The warning is triggered by:

(some test succees, but):
    # There exists an extended ACL entry for the Administrators group, with
    # the desired permissions. However, extended ACL entries are masked by
    # the chmod bits for other, so we have to check that 'other' ALSO has at
    # least the desired permissions. Otherwise, notify.
    [ -z "$(echo "$ls_result" | sed -n /^......."$perm"/p)" ] && notify=1
  fi

There are actually two questions: (a) should csih_check_access be
checking that the Administrators group has the desired access?, and (b)
are extended ACLs *actually* masked by the "other" bits?

--
Chuck

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/