[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Usage of dpkg under cygwin

On Thu, 2002-10-10 at 06:44, Paul Baker wrote:

> Well if the cygwin port is ever to be taken serious in the debian 
> community then it needs to take security as seriously as the rest of 
> debian does. Don't let Microsoft negligence with security pollute the 
> goals and purpose of this debian project. It should aspire to be 
> better, not just average, then what is available now. I know one of my 
> reasons for choosing debian is better security.</soapbox>

This has nothing to do with security. And we *do* take security
seriously. We fix all security issues we become aware of promptly
including ssl fixs etc. We support setting ntfs acls from within cygwin,
and I could go on. The point is: creating a tarball is a programming
task, not a security issue. Extraction of a tarball onto a system, that
is a security issue.
> I suppose I may not have a clear understanding of cygwin's permission 
> system... is there no uid 0 under cygwin?

No. Cygwin uids are the NT RSID for the user. We use the last section
(after the last -) for a posix-style user id. This is non unique though,
and I'd need to check the source to see what we do if/when that happens.

>  That is all dh_testroot is 
> checking for, that it is or has been fooled into believing that the 
> current user is uid 0. This is needed because tar also needs to be 
> fooled into thinking it is running as uid 0 in order to create tar 
> files with files in them that are owned by root or any other user/group 
> than the current one. That is what all of this revolves around.

Ah, that makes more sense.

> Also keep in mind that one day cygwin and windows may take the user 
> permissions seriously. When that day comes do you want all your 
> packages to suddenly stop working because you tried to take shortcuts 
> now? I don't see how that helps anyone.

What shortcuts? Cygwin already takes permissions very seriously. SSH
won't work if you have the incorrect permissions. SU won't work if the
system is nto setup correctly. And so on.

> Aside, if tar under cygwin treats uid 500 as privileged and lets you 
> create tar archives containing files with privileged privileges, then 
> the thing to do would be to patch debhelper (what dh_testroot is a part 
> of) to check for the possibility uid 500 on cygwin as passing the root 
> check.

Someone (I don't have time - sorry) needs to check cygwin tar. If cygwin
tar hasn't been patched in that fashion, then it need to be - what it
needs to check is if the current user can enable the '<review NT rights
here> process token'. Thats a capability based check, rather than a uid
check, and as such is more flexible without sacrificing security.


Reply to: