This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1

From: Charles Wilson <cygwin at cwilson dot fastmail dot fm>
To: cygwin at cygwin dot com
Date: Thu, 21 Aug 2008 23:11:34 -0400
Subject: Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1
References: <announce.48A789B6.3010103@cwilson.fastmail.fm> <48A78C6F.2050403@cwilson.fastmail.fm> <20080820134209.GN29104@calimero.vinschen.de> <48ADA260.3020901@cwilson.fastmail.fm> <20080821173028.GA24882@calimero.vinschen.de>

Corinna Vinschen wrote:

>> There are actually two questions: (a) should csih_check_access be
>> checking that the Administrators group has the desired access?, and (b)
>> are extended ACLs *actually* masked by the "other" bits?
> 
> a) Actually, since all file access is using backup privileges,
>    administrators typically have access anyway.  But we don't know if
>    admins on a given installation actually *have* backup privileges,
>    given that you can remove them from any account.

I'm not sure I follow. Are you talking about
  1) setup (current)
  2) setup-1.7
  3) cygwin-1.5
      a) when user is a member of the administrators group
      B) else?
  4) cygwin-1.7
      a) when user is a member of the administrators group
      b) else?
I mean, take case 3b or 4b: if a regular joe user does not HAVE backup
privilege, how can "all file access [be] using backup privileges" which
joe user doesn't have?

>  So, I think the test makes still sense, sort of. From a educational perspective at
>    least :)

OK.

> b) No.  ACCESS_ALLOW_ACEs permissions in the DACL are additive.

And that's what I was really looking for. So this test (and comments):

# the desired permissions. However, extended ACL entries are masked by
# the chmod bits for other, so we have to check that 'other' ALSO has at
# least the desired permissions. Otherwise, notify.
[ -z "$(echo "$ls_result" | sed -n /^......."$perm"/p)" ] && notify=1

can go away.

However, while fixing this, I found that many of the checks in
csih_check_access were not coded properly:

if [ shell_fun_call -a $var -eq "foo" ]

doesn't work.  It should be

if ( shell_fun_call && [ $var -eq "foo" ])

So, I fixed that, too -- although I dislike the extra subshells.

The new implementation is correct (I think), but it may mean that tests
that SHOULD have raised a warning flag earlier, but did not, may now do
so.  So, Corinna -- please grab the latest version from here:

http://cygwin.com/cgi-bin/cvsweb.cgi/~checkout~/csih/cygwin-service-installation-helper.sh?cvsroot=cygwin-apps

http://tinyurl.com/6regov

and try it out. I'm looking for false warning messages...

--
Chuck

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1
  - From: Eric Blake
- Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1
  - From: Corinna Vinschen

References:
- [ANNOUNCEMENT] Updated: csih-0.1.7-1
  - From: cygwin
- Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1
  - From: Charles Wilson
- Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1
  - From: Corinna Vinschen
- Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1
  - From: Charles Wilson
- Re: [ANNOUNCEMENT] Updated: csih-0.1.7-1
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]