Corinna Vinschen wrote:
> I'm about to create a new openssh package for 1.7 with fixes along the
> lines of what you sent in your OP.
>
> While I'm at it, I see that there's a bit of dual work in the
> csih-0.1.7 script and the ssh-host-config script:
So I was also trying to update my iu-config script to use the latest
csih, and ran into an interesting behavior, which leads to a question.
I did this:
# Create /etc/inet.d
csih_make_dir "${SYSCONFDIR}/inetd.d" "Cannot create directory for inetd
configuration files."
chmod 775 "${SYSCONFDIR}/inetd.d" >& /dev/null || /bin/true
setfacl -m u:system:rwx "${SYSCONFDIR}/inetd.d" >& /dev/null || /bin/true
csih_check_access "${SYSCONFDIR}/inetd.d" "rwxr.xr.x"
Which, when executed, resulted in
*** Warning: The owner and the Administrators need
*** Warning: to have rwxr.xr.x permission to /etc/inetd.d.
*** Warning: Here are the current permissions:
*** Warning: drwxrwxr-x+ 2 Administrator Users 0 May 2 20:21 /etc/inetd.d
*** Warning: Please change the user and/or group ownership and
*** Warning: permissions of /etc/inetd.d.
Now, "drwxrwxr-x+" matches the specified regex "rwxr.xr.x" (after
csih_check_access prepends "^."). The warning is triggered by:
(some test succees, but):
# There exists an extended ACL entry for the Administrators group, with
# the desired permissions. However, extended ACL entries are masked by
# the chmod bits for other, so we have to check that 'other' ALSO has at
# least the desired permissions. Otherwise, notify.
[ -z "$(echo "$ls_result" | sed -n /^......."$perm"/p)" ] && notify=1
fi
There are actually two questions: (a) should csih_check_access be
checking that the Administrators group has the desired access?, and (b)
are extended ACLs *actually* masked by the "other" bits?
--
Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
