cygwin 1.7.35 reads file permissions differently, affects fetchmail

cygwin 1.7.35 reads file permissions differently, affects fetchmail

[Martin Koeppe]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1532 bytes --]


Hi all,

I just updated from cygwin 1.7.32 to 1.7.35,
and now file permissions are calculated differently,
which breaks fetchmail for me:

Here are the Windows permissions:
(no permissions for Domain Users / Domänen-Benutzer)

$ cacls fetchmailrc.txt
D:\fetchmail\fetchmailrc.txt NT-AUTORIT.T\SYSTEM:(ID)F
                              NT-AUTORIT.T\LOKALER DIENST:(ID)C
                              DOMAENE\LocalAdmin:(ID)F
                              VORDEFINIERT\Administratoren:(ID)F

cygwin-1.7.32 $ ls -l
-rwx------+ 1 LocalService Domänen-Benutzer    1932 15. Aug 2014 
fetchmailrc.txt

cygwin-1.7.35 $ ls -l
-rwxrwx---+ 1 LocalService Domänen-Benutzer    1932 15. Aug 2014 
fetchmailrc.txt


Now, there are group permissions set. For me it breaks fetchmail, 
because fetchmail only runs when the config file is owned by the user 
running fetchmail (LocalService in my case, a system user I never can 
login with) and with max 0700 permissions. While this check is ok/good 
for Unix, because you still can view/edit the file as user root, you 
now can't anymore as Administrator on Windows.


So cygwin's old calculation helped me to get it working that both 
fetchmail is happy as the file is only accessible by the user running 
fetchmail and I am happy to be able to change the file as 
Administrator. This seems now broken, or is there still a possibility 
to do that?


@fetchmail's maintainers:
Is it possible/desired/ok to disable this check on Cygwin?


Thanks
Martin

[-- Attachment #2: Type: text/plain, Size: 218 bytes --]

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: cygwin 1.7.35 reads file permissions differently, affects fetchmail

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1456 bytes --]

On Mar 23 09:57, Martin Koeppe wrote:
> 
> Hi all,
> 
> I just updated from cygwin 1.7.32 to 1.7.35,
> and now file permissions are calculated differently,
> which breaks fetchmail for me:
> 
> Here are the Windows permissions:
> (no permissions for Domain Users / Domänen-Benutzer)
> 
> $ cacls fetchmailrc.txt
> D:\fetchmail\fetchmailrc.txt NT-AUTORIT.T\SYSTEM:(ID)F
>                              NT-AUTORIT.T\LOKALER DIENST:(ID)C
>                              DOMAENE\LocalAdmin:(ID)F
>                              VORDEFINIERT\Administratoren:(ID)F
> 
> cygwin-1.7.32 $ ls -l
> -rwx------+ 1 LocalService Domänen-Benutzer    1932 15. Aug 2014
> fetchmailrc.txt
> 
> cygwin-1.7.35 $ ls -l
> -rwxrwx---+ 1 LocalService Domänen-Benutzer    1932 15. Aug 2014
> fetchmailrc.txt
> 
> 
> Now, there are group permissions set. For me it breaks fetchmail, because
> fetchmail only runs when the config file is owned by the user running
> fetchmail (LocalService in my case, a system user I never can login with)
> and with max 0700 permissions. While this check is ok/good for Unix, because
> you still can view/edit the file as user root, you now can't anymore as
> Administrator on Windows.

Huh?  You can.  Just open a Cygwin admin shell and take a look.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: cygwin 1.7.35 reads file permissions differently, affects broken apps

[Linda Walsh]

Corinna Vinschen wrote:
>> cygwin-1.7.32 $ ls -l
>> -rwx------+ 1 LocalService Domänen-Benutzer    1932 15. Aug 2014
>> fetchmailrc.txt
>>
>> cygwin-1.7.35 $ ls -l
>> -rwxrwx---+ 1 LocalService Domänen-Benutzer    1932 15. Aug 2014
>> fetchmailrc.txt
>>
>> Now, there are group permissions set. For me it breaks fetchmail, because
>> fetchmail only runs when the config file is owned by the user running
>> fetchmail (LocalService in my case, a system user I never can login with)
>> and with max 0700 permissions.
---
	I can confirm this bug exists in linux and is also
present in other mis-designed apps.  It's not cygwin specific.

Ishtar:law> llg .fetchmailrc
-rwx------ 1 law lawgroup 1103 Dec 14 13:49 .fetchmailrc*
Ishtar:law> chmod g+rw .fetchmailrc
> fetchmail
File /home/law/.fetchmailrc must have no more than -rwx------ (0700) permissions.
> sudo fetchmail
fetchmail: WARNING: Running as root is discouraged.
File /home/law/.fetchmailrc must have no more than -rwx------ (0700) permissions.

Another example:

> sudo lilo
Warning: /etc/lilo.conf should be writable only for root
Added 3185-Isht-Van
Added 3173-Isht-Van  *
One warning was issued.
Ishtar:linux/ish-3192> llg /etc/lilo.conf
-rw-rw-r-- 1 root root 3589 Mar 17 19:48 /etc/lilo.conf

"ssh[d](re .ssh) , sudo (re sudoers), and I believe you thought
~/.rlogin also have this problem.  It is a growing problem for those
of us who manage security by group perms (I setup my linux box with
1 group per user several years ago to allow for Windows-security
compatibility).  For a while I was able to get around the problem
with ACL's, but these days, more apps are becoming ACL-aware.

Maybe linux needs a new Discretionary-access security module, dup'ed
off the current model, but with an extra set of dummy file permissions
that can be configured to be returned when run under a specified
list of program names.  Hmmm...I like it!






--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple