This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: cygwin 1.7.35 reads file permissions differently, affects broken apps
- From: Linda Walsh <cygwin at tlinx dot org>
- To: cygwin at cygwin dot com
- Date: Mon, 23 Mar 2015 11:55:56 -0700
- Subject: Re: cygwin 1.7.35 reads file permissions differently, affects broken apps
- Authentication-results: sourceware.org; auth=none
- References: <alpine dot DEB dot 2 dot 00 dot 1503230918190 dot 14799 at vmdebian dot local dot koeppe-net dot de> <20150323091056 dot GC3017 at calimero dot vinschen dot de>
Corinna Vinschen wrote:
cygwin-1.7.32 $ ls -l
-rwx------+ 1 LocalService DomÃnen-Benutzer 1932 15. Aug 2014
fetchmailrc.txt
cygwin-1.7.35 $ ls -l
-rwxrwx---+ 1 LocalService DomÃnen-Benutzer 1932 15. Aug 2014
fetchmailrc.txt
Now, there are group permissions set. For me it breaks fetchmail, because
fetchmail only runs when the config file is owned by the user running
fetchmail (LocalService in my case, a system user I never can login with)
and with max 0700 permissions.
---
I can confirm this bug exists in linux and is also
present in other mis-designed apps. It's not cygwin specific.
Ishtar:law> llg .fetchmailrc
-rwx------ 1 law lawgroup 1103 Dec 14 13:49 .fetchmailrc*
Ishtar:law> chmod g+rw .fetchmailrc
fetchmail
File /home/law/.fetchmailrc must have no more than -rwx------ (0700) permissions.
sudo fetchmail
fetchmail: WARNING: Running as root is discouraged.
File /home/law/.fetchmailrc must have no more than -rwx------ (0700) permissions.
Another example:
sudo lilo
Warning: /etc/lilo.conf should be writable only for root
Added 3185-Isht-Van
Added 3173-Isht-Van *
One warning was issued.
Ishtar:linux/ish-3192> llg /etc/lilo.conf
-rw-rw-r-- 1 root root 3589 Mar 17 19:48 /etc/lilo.conf
"ssh[d](re .ssh) , sudo (re sudoers), and I believe you thought
~/.rlogin also have this problem. It is a growing problem for those
of us who manage security by group perms (I setup my linux box with
1 group per user several years ago to allow for Windows-security
compatibility). For a while I was able to get around the problem
with ACL's, but these days, more apps are becoming ACL-aware.
Maybe linux needs a new Discretionary-access security module, dup'ed
off the current model, but with an extra set of dummy file permissions
that can be configured to be returned when run under a specified
list of program names. Hmmm...I like it!
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple