Hi John, I just realized that the paswd-grp.sh postinstall script in the base-passwd package sets unsecure permissions on /etc/passwd and /etc/group. Is there any good reason to chmod 777 these files? I don't see any, especially not execute permission.
chmod 644 would be the correct setting, afaics. We can also get rid of the sed calls to remove the line with :S-1-1-0: from passwd and group. These entries aren't generated for many many years. Last but not least, the file group should be set to the Administrators group by default. I would like to suggest the following patch: --- passwd-grp.sh.ORIG 2009-04-22 20:44:42.521387200 +0200 +++ passwd-grp.sh 2009-04-22 20:59:04.167788000 +0200 @@ -1,24 +1,27 @@ #!/bin/sh +created_passwd=no +created_group=no + if [ ! -e /etc/passwd -a ! -L /etc/passwd ] ; then /bin/mkpasswd -l -c > /etc/passwd - /bin/chmod 777 /etc/passwd + /bin/chmod 644 /etc/passwd + created_passwd=yes fi if [ ! -e /etc/group -a ! -L /etc/group ] ; then /bin/mkgroup -l -c > /etc/group - /bin/chmod 777 /etc/group + /bin/chmod 644 /etc/group + created_group=yes fi -cp -f /etc/passwd /tmp/passwd.mkpasswd && \ -( [ -w /etc/passwd ] || chmod --silent a+w /etc/passwd ; ) && \ -sed -e '/:S-1-1-0:/d' /tmp/passwd.mkpasswd > /etc/passwd && \ -chmod --silent --reference=/etc/group /etc/passwd -rm -f /tmp/passwd.mkpasswd - -cp -f /etc/group /tmp/group.mkgroup && \ +cp -fp /etc/group /tmp/group.mkgroup && \ ( [ -w /etc/group ] || chmod --silent a+w /etc/group ; ) && \ echo "root:S-1-5-32-544:0:" > /etc/group && \ -sed -e '/:S-1-1-0:/d' -e '/root:S-1-5-32-544:0:/d' /tmp/group.mkgroup >> /etc/group && \ +sed -e '/root:S-1-5-32-544:0:/d' /tmp/group.mkgroup >> /etc/group && \ chmod --silent --reference=/etc/passwd /etc/group rm -f /tmp/group.mkgroup + +# Deferred to be sure root group entry exists +[ "$created_passwd" = "yes" ] && /bin/chgrp --silent root /etc/passwd +[ "$created_group" = "yes" ] && /bin/chgrp --silent root /etc/group Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat