[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Usage of dpkg under cygwin

> > Aside, if tar under cygwin treats uid 500 as privileged and lets
> you 
> > create tar archives containing files with privileged privileges,
> then 
> > the thing to do would be to patch debhelper (what dh_testroot is a
> part 
> > of) to check for the possibility uid 500 on cygwin as passing the
> root 
> > check.
> Someone (I don't have time - sorry) needs to check cygwin tar. If
> cygwin
> tar hasn't been patched in that fashion, then it need to be - what it
> needs to check is if the current user can enable the '<review NT
> rights
> here> process token'. Thats a capability based check, rather than a
> uid
> check, and as such is more flexible without sacrificing security.

I will look into this next week at work (on my lunch break:) )

Really the point is this :

If you dont have permissions under winnt, cygwin wont give them to you!
if you have the permissions, then cygwin can try, but wont be able to
take them away for very long. 

I mean lets be serious here, what are we trying to do: 

make sure someone does not install a package as non-admin? what about a
local install.

make sure someone does not overwrite the cygwin /usr/bin directory with
garbage? If they have write access, they can delete it.

make sure someone does not have the wrong uids in the tar file when
they build a debian GNU/Linux package with the cross compiler under
windows 95? 


James Michael DuPont

Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More

Reply to: