This is the mail archive of the cygwin-developers mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: /home security problem


On 4 September 2010 08:51, Corinna Vinschen wrote:
> On Sep Â3 19:45, Andy Koppe wrote:
>> On 3 September 2010 03:04, Dave Korn wrote:
>> > On 02/09/2010 22:22, Andy Koppe wrote:
>> >
>> >> The /home directory has rwxrwxrwt rights. This allows anyone to create
>> >> directories and files in /home, but due to the 'sticky' bit
>> >> represented by the 't' at the end, only directory/file owners can
>> >> delete them. So this allows /etc/profile to create a user's home
>> >> directory, without allowing users to remove other users' home
>> >> directories.
>> >>
>> >> Trouble is, users can create directories with any name in /home,
>> >> including directories with the name of another user who hasn't yet
>> >> logged in. When that user eventually does log in, (s)he'll end up with
>> >> a home directory owned by someone else. This even works for
>> >> administrators, i.e. I ended up being able as an ordinary user to
>> >> delete files in an administrator's home directory.
>> >>
>> >> I've got no idea how to fix that short of changing the /home
>> >> permissions to 775 and hence requiring an administrator to create any
>> >> home directories (which of course is what happens on Linux).
>
> The problem is that in a Cygwin installation it's expected that every
> user creates its own home dir on first start of the shell.
>
> In theory we would have to remove the "for all/just me" choice in
> setup.exe and always install as admin.

I don't understand that connection.

>ÂHowever, for the home dir that
> means that a user only can have a home dir if an admin created it first.
> That's ok for Linux, but how is that supposed to work for Cygwin? ÂWe
> don't even have tools like useradd, usermod, etc, and many installations
> of Cygwin are only tolerated by admins because they don't have to care.

Yeah, I wasn't seriously suggesting that we should go down that route.

>> > ÂWe could restructure the logic in /etc/profile to do something like
>> >
>> > Âif [ $HOME already exists ]
>> > Â Âif [ $HOME owner uid != $user uid ]
>> > Â Â Âissue warning and rename bogus home dir aside
>> > Â Âfi
>> > Âfi
>> >
>> > just before the current
>> >
>> > Âif [ $HOME doesn't exist ]
>> > Â Âcopy it from /etc/skel, issuing the standard first-run message.
>> > Âfi
>> >
>> > bit. Â(Sorry pseudocode only.)
>>
>> Good idea. I see bash has a built-in test for whether a file belongs
>> to the current user (-O file), so this could probably be done without
>> incurring another fork.

On, second thoughts, the 'rename bogus home dir aside' bit won't work
for ordinary users, because they don't have the right to do so. So
perhaps have the 'SOMEONE ELSE OWNS YOUR HOME!' warning only?

Andy


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]