[patch/cygwin]: Remove setting extra permissions on system directories
Damien Miller
djm at mindrot.org
Wed Sep 3 05:35:45 EST 2014
applied - thanks
On Fri, 29 Aug 2014, Corinna Vinschen wrote:
> On Aug 29 23:25, Corinna Vinschen wrote:
> > Hi,
> >
> > please consider the below patch for OpenSSH 6.7. A fix in POSIX ACL
> > handling in Cygwin turned up this rather old code in the ssh-host-config
> > script. It opens the permissions for some directories, especially
> > /var/empty, for the "system" user for no good reason.
> >
> > This results in sshd refusing to start because the permissions on
> > /var/empty are too open.
> >
> > The below patch fixes that by dropping the code adding an ACL entry
> > for the "system" user.
>
> Actually, please disregard the previous patch and use the below one.
> The script really shows its age. It tries to create directories which
> for a long time now have been installed with correct permissions by the
> base installation already.
>
> The only directory the script really has to care for is /var/empty.
>
> New patch below.
>
>
> Thanks,
> Corinna
>
>
> Index: contrib/cygwin/ssh-host-config
> ===================================================================
> RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v
> retrieving revision 1.35
> diff -u -p -r1.35 ssh-host-config
> --- contrib/cygwin/ssh-host-config 27 May 2014 04:31:59 -0000 1.35
> +++ contrib/cygwin/ssh-host-config 29 Aug 2014 21:34:00 -0000
> @@ -37,7 +37,6 @@ declare -a csih_required_commands=(
> /usr/bin/mkpasswd cygwin
> /usr/bin/mount cygwin
> /usr/bin/ps cygwin
> - /usr/bin/setfacl cygwin
> /usr/bin/umount cygwin
> /usr/bin/cmp diffutils
> /usr/bin/grep grep
> @@ -651,32 +650,6 @@ echo
>
> warning_cnt=0
>
> -# Check for ${SYSCONFDIR} directory
> -csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
> -if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
> -then
> - csih_warning "Can't set permissions on ${SYSCONFDIR}!"
> - let ++warning_cnt
> -fi
> -if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
> -then
> - csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
> - let ++warning_cnt
> -fi
> -
> -# Check for /var/log directory
> -csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
> -if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
> -then
> - csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
> - let ++warning_cnt
> -fi
> -if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
> -then
> - csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
> - let ++warning_cnt
> -fi
> -
> # Create /var/log/lastlog if not already exists
> if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
> then
> @@ -699,11 +672,6 @@ csih_make_dir "${LOCALSTATEDIR}/empty" "
> if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
> then
> csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
> - let ++warning_cnt
> -fi
> -if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
> -then
> - csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
> let ++warning_cnt
> fi
>
> --
> Corinna Vinschen
> Cygwin Maintainer
> Red Hat
>
More information about the openssh-unix-dev
mailing list