This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Failure in merging win-env vars into post-'login'...


Hi Linda,

On Jan 23 17:34, Linda Walsh wrote:
> Corinna Vinschen wrote:
> 
> >- Can you please start inetd under strace, once under 1.7.33, once under
> >  the 1.7.34 test DLL and then log in as you usally do?  This requires
> >  some patience because under strace the whole process of logging in
> >  will become almost unbearably slow.
> ----
> 	~20 seconds?
> 
> >  With the test DLL, you can stop
> >  immediately after the password prompt shows up.
> ---
> I trimmed both of the traces in gvim to the point when they
> both first call "-bash".

Thanks for the straces.  I think I know what happens.

First of all, under Cygwin 1.7.34 rlogin reads your .rhosts file
just the same as under 1.7.33.

The difference is apparently that under 1.7.34, rlogin refuses the
file due to too open permissions.

This is a result of the fix in POSIX ACL handling.  For a start, run
`ls -l .rhosts' under both Cygwin versions.  What you will see (more
or less) is something like this:

  1.7.33$ ls -l .rhosts
  -rw-------. 2 law.Bliss  groupname Jan 23 17:56 .rhosts

  1.7.34$ ls -l .rhosts
  -rw-rwx---. 2 law.Bliss  groupname Jan 23 17:56 .rhosts

Do you see the group permissions?  They are too open, because your
.rhosts' ACL contains permissions for other users, for instance,
Administrators or SYSTEM.

The ACL handling fix in Cygwin 1.7.34 causes that.  Basically it's
a result of (finally) implementing this POSIX ACL behaviour (quote
from Linux' `man 5 acl':

  There is a correspondence between the file owner, group, and other
  permissions and specific ACL entries: the owner permissions correspond
  to the permissions of the ACL_USER_OBJ entry. If the ACL has an
  ACL_MASK entry, the group permissions correspond to the permissions of
  the ACL_MASK entry.  Otherwise, if the ACL has no ACL_MASK entry, the
  group permissions correspond to the permissions of the ACL_GROUP_OBJ
  entry.  The other permissions correspond to the permissions of the
  ACL_OTHER_OBJ entry.

So the group permission bits reflect the ACL_MASK value, and the ACL_MASK
value is the inclusive or of all permissions of all secondary ACL_USER
and ACL_GROUP entries in the ACL.  For instance:

  user:                  rw-
  group:                 r--
  other:                 ---
  group:Administrators:  --x

  ==> $ ls -l file
  -rwr-x--- ...

So the permissions become the or'ed mask of the permissions of the
primary group and all secondary users' and group:

  r-- OR --x = r-x

So, the problem are the permissions.  How do you change that?  That's
easy.  Just remove all ACL entries which don't belong to the standard
POSIX permissions.  The new setfacl(1) in 1.7.34 has a simple command
for that:

  $ setfacl -b .rhosts

The result should be:

  1.7.34$ ls -l .rhosts
  -rw-------. 2 law.Bliss  groupname Jan 23 17:56 .rhosts


HTH,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpDNhuClz8lU.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]