[patch/cygwin]: Remove setting extra permissions on system directories

Sat Aug 30 07:36:10 EST 2014

On Aug 29 23:25, Corinna Vinschen wrote:
> Hi,
> 
> please consider the below patch for OpenSSH 6.7.  A fix in POSIX ACL
> handling in Cygwin turned up this rather old code in the ssh-host-config
> script.  It opens the permissions for some directories, especially
> /var/empty, for the "system" user for no good reason.
> 
> This results in sshd refusing to start because the permissions on
> /var/empty are too open.
> 
> The below patch fixes that by dropping the code adding an ACL entry
> for the "system" user.

Actually, please disregard the previous patch and use the below one.
The script really shows its age.  It tries to create directories which
for a long time now have been installed with correct permissions by the
base installation already.

The only directory the script really has to care for is /var/empty.

New patch below.


Thanks,
Corinna


Index: contrib/cygwin/ssh-host-config
===================================================================
RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v
retrieving revision 1.35
diff -u -p -r1.35 ssh-host-config

--- contrib/cygwin/ssh-host-config	27 May 2014 04:31:59 -0000	1.35
+++ contrib/cygwin/ssh-host-config	29 Aug 2014 21:34:00 -0000
@@ -37,7 +37,6 @@ declare -a csih_required_commands=(
   /usr/bin/mkpasswd cygwin
   /usr/bin/mount cygwin
   /usr/bin/ps cygwin
-  /usr/bin/setfacl cygwin
   /usr/bin/umount cygwin
   /usr/bin/cmp diffutils
   /usr/bin/grep grep
@@ -651,32 +650,6 @@ echo
 
 warning_cnt=0
 
-# Check for ${SYSCONFDIR} directory
-csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
-if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
-then
-  csih_warning "Can't set permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
-
-# Check for /var/log directory
-csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
-if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
-then
-  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
-
 # Create /var/log/lastlog if not already exists
 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
 then
@@ -699,11 +672,6 @@ csih_make_dir "${LOCALSTATEDIR}/empty" "
 if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
 then
   csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
   let ++warning_cnt
 fi
 
-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140829/10e2fb05/attachment.bin>
