openssh unix dev - Aug 2014 - [patch/cygwin]: Remove setting extra permissions on system directories

Hi,

please consider the below patch for OpenSSH 6.7.  A fix in POSIX ACL
handling in Cygwin turned up this rather old code in the ssh-host-config
script.  It opens the permissions for some directories, especially
/var/empty, for the "system" user for no good reason.

This results in sshd refusing to start because the permissions on
/var/empty are too open.

The below patch fixes that by dropping the code adding an ACL entry
for the "system" user.


Thanks,
Corinna


Index: contrib/cygwin/ssh-host-config
==================================================================RCS file:
/cvs/openssh/contrib/cygwin/ssh-host-config,v
retrieving revision 1.35
diff -u -p -r1.35 ssh-host-config
--- contrib/cygwin/ssh-host-config	27 May 2014 04:31:59 -0000	1.35
+++ contrib/cygwin/ssh-host-config	29 Aug 2014 21:24:02 -0000
@@ -37,7 +37,6 @@ declare -a csih_required_commands=(
   /usr/bin/mkpasswd cygwin
   /usr/bin/mount cygwin
   /usr/bin/ps cygwin
-  /usr/bin/setfacl cygwin
   /usr/bin/umount cygwin
   /usr/bin/cmp diffutils
   /usr/bin/grep grep
@@ -658,11 +657,6 @@ then
   csih_warning "Can't set permissions on ${SYSCONFDIR}!"
   let ++warning_cnt
 fi
-if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null
2>&1
-then
-  csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
 
 # Check for /var/log directory
 csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log
directory."
@@ -671,11 +665,6 @@ then
   csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
   let ++warning_cnt
 fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
>/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on
${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
 
 # Create /var/log/lastlog if not already exists
 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
@@ -699,11 +688,6 @@ csih_make_dir "${LOCALSTATEDIR}/empty" "
 if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null
2>&1
 then
   csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
>/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on
${LOCALSTATEDIR}/empty!"
   let ++warning_cnt
 fi
 

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140829/9afe3f28/attachment.bin>

On Aug 29 23:25, Corinna Vinschen wrote:
> Hi,
> 
> please consider the below patch for OpenSSH 6.7.  A fix in POSIX ACL
> handling in Cygwin turned up this rather old code in the ssh-host-config
> script.  It opens the permissions for some directories, especially
> /var/empty, for the "system" user for no good reason.
> 
> This results in sshd refusing to start because the permissions on
> /var/empty are too open.
> 
> The below patch fixes that by dropping the code adding an ACL entry
> for the "system" user.
Actually, please disregard the previous patch and use the below one.
The script really shows its age.  It tries to create directories which
for a long time now have been installed with correct permissions by the
base installation already.

The only directory the script really has to care for is /var/empty.

New patch below.


Thanks,
Corinna


Index: contrib/cygwin/ssh-host-config
==================================================================RCS file:
/cvs/openssh/contrib/cygwin/ssh-host-config,v
retrieving revision 1.35
diff -u -p -r1.35 ssh-host-config
--- contrib/cygwin/ssh-host-config	27 May 2014 04:31:59 -0000	1.35
+++ contrib/cygwin/ssh-host-config	29 Aug 2014 21:34:00 -0000
@@ -37,7 +37,6 @@ declare -a csih_required_commands=(
   /usr/bin/mkpasswd cygwin
   /usr/bin/mount cygwin
   /usr/bin/ps cygwin
-  /usr/bin/setfacl cygwin
   /usr/bin/umount cygwin
   /usr/bin/cmp diffutils
   /usr/bin/grep grep
@@ -651,32 +650,6 @@ echo
 
 warning_cnt=0
 
-# Check for ${SYSCONFDIR} directory
-csih_make_dir "${SYSCONFDIR}" "Cannot create global
configuration files."
-if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
-then
-  csih_warning "Can't set permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null
2>&1
-then
-  csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
-
-# Check for /var/log directory
-csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log
directory."
-if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null
2>&1
-then
-  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
>/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on
${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
-
 # Create /var/log/lastlog if not already exists
 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
 then
@@ -699,11 +672,6 @@ csih_make_dir "${LOCALSTATEDIR}/empty" "
 if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null
2>&1
 then
   csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
>/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on
${LOCALSTATEDIR}/empty!"
   let ++warning_cnt
 fi
 
-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140829/10e2fb05/attachment.bin>