Corinna Vinschen wrote:
>> There are actually two questions: (a) should csih_check_access be
>> checking that the Administrators group has the desired access?, and (b)
>> are extended ACLs *actually* masked by the "other" bits?
>
> a) Actually, since all file access is using backup privileges,
> administrators typically have access anyway. But we don't know if
> admins on a given installation actually *have* backup privileges,
> given that you can remove them from any account.
I'm not sure I follow. Are you talking about
1) setup (current)
2) setup-1.7
3) cygwin-1.5
a) when user is a member of the administrators group
B) else?
4) cygwin-1.7
a) when user is a member of the administrators group
b) else?
I mean, take case 3b or 4b: if a regular joe user does not HAVE backup
privilege, how can "all file access [be] using backup privileges" which
joe user doesn't have?
> So, I think the test makes still sense, sort of. From a educational
> perspective at
> least :)
OK.
> b) No. ACCESS_ALLOW_ACEs permissions in the DACL are additive.
And that's what I was really looking for. So this test (and comments):
# the desired permissions. However, extended ACL entries are masked by
# the chmod bits for other, so we have to check that 'other' ALSO has at
# least the desired permissions. Otherwise, notify.
[ -z "$(echo "$ls_result" | sed -n /^......."$perm"/p)" ] && notify=1
can go away.
However, while fixing this, I found that many of the checks in
csih_check_access were not coded properly:
if [ shell_fun_call -a $var -eq "foo" ]
doesn't work. It should be
if ( shell_fun_call && [ $var -eq "foo" ])
So, I fixed that, too -- although I dislike the extra subshells.
The new implementation is correct (I think), but it may mean that tests
that SHOULD have raised a warning flag earlier, but did not, may now do
so. So, Corinna -- please grab the latest version from here:
http://cygwin.com/cgi-bin/cvsweb.cgi/~checkout~/csih/cygwin-service-installation-helper.sh?cvsroot=cygwin-apps
http://tinyurl.com/6regov
and try it out. I'm looking for false warning messages...
--
Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
