From: Linda Walsh <cygwin@tlinx.org>
To: cygwin@cygwin.com
Subject: Re: cygwin 1.7.35 reads file permissions differently, affects broken apps
Date: Mon, 23 Mar 2015 19:04:00 -0000 [thread overview]
Message-ID: <551061BC.1020005@tlinx.org> (raw)
In-Reply-To: <20150323091056.GC3017@calimero.vinschen.de>
Corinna Vinschen wrote:
>> cygwin-1.7.32 $ ls -l
>> -rwx------+ 1 LocalService Domänen-Benutzer 1932 15. Aug 2014
>> fetchmailrc.txt
>>
>> cygwin-1.7.35 $ ls -l
>> -rwxrwx---+ 1 LocalService Domänen-Benutzer 1932 15. Aug 2014
>> fetchmailrc.txt
>>
>> Now, there are group permissions set. For me it breaks fetchmail, because
>> fetchmail only runs when the config file is owned by the user running
>> fetchmail (LocalService in my case, a system user I never can login with)
>> and with max 0700 permissions.
---
I can confirm this bug exists in linux and is also
present in other mis-designed apps. It's not cygwin specific.
Ishtar:law> llg .fetchmailrc
-rwx------ 1 law lawgroup 1103 Dec 14 13:49 .fetchmailrc*
Ishtar:law> chmod g+rw .fetchmailrc
> fetchmail
File /home/law/.fetchmailrc must have no more than -rwx------ (0700) permissions.
> sudo fetchmail
fetchmail: WARNING: Running as root is discouraged.
File /home/law/.fetchmailrc must have no more than -rwx------ (0700) permissions.
Another example:
> sudo lilo
Warning: /etc/lilo.conf should be writable only for root
Added 3185-Isht-Van
Added 3173-Isht-Van *
One warning was issued.
Ishtar:linux/ish-3192> llg /etc/lilo.conf
-rw-rw-r-- 1 root root 3589 Mar 17 19:48 /etc/lilo.conf
"ssh[d](re .ssh) , sudo (re sudoers), and I believe you thought
~/.rlogin also have this problem. It is a growing problem for those
of us who manage security by group perms (I setup my linux box with
1 group per user several years ago to allow for Windows-security
compatibility). For a while I was able to get around the problem
with ACL's, but these days, more apps are becoming ACL-aware.
Maybe linux needs a new Discretionary-access security module, dup'ed
off the current model, but with an extra set of dummy file permissions
that can be configured to be returned when run under a specified
list of program names. Hmmm...I like it!
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
prev parent reply other threads:[~2015-03-23 18:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-23 9:11 cygwin 1.7.35 reads file permissions differently, affects fetchmail Martin Koeppe
2015-03-23 9:14 ` Corinna Vinschen
2015-03-23 19:04 ` Linda Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=551061BC.1020005@tlinx.org \
--to=cygwin@tlinx.org \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).