--- Paul Baker <pbaker@xxxxxxxxxxxxxxx> wrote:
>
> On Wednesday, October 9, 2002, at 02:51 PM, James Michael DuPont
> wrote:
>
> >> If the current user has "the appropriate access" as I believe the
> >> previous
> >> poster defines it, the packager can easily give the files the
> correct
> >> ownership.
> >>
> >> But really, isn't it silly to demand privileges just to write the
> >> correct uids
> >> to an archive? It's not like the OS forbids you to create archives
> >> with any
> >> contents you like. This hokus pokus is just because we want to use
> >> the standard
> >> tar command, isn't it?
>
> Well if the cygwin port is ever to be taken serious in the debian
> community then it needs to take security as seriously as the rest of
> debian does. Don't let Microsoft negligence with security pollute the
>
> goals and purpose of this debian project. It should aspire to be
> better, not just average, then what is available now. I know one of
> my
> reasons for choosing debian is better security.</soapbox>
I agree with you.
If you ask me, the best way to get people to support free software is
to sell them something. Most people will love to buy free software if
they can ask permission to buy it and get a cd and a handbook under
windows. Seriously.
ON the other side, I used windows for years and only switched to linux
when it got easier to use.
>
> I suppose I may not have a clear understanding of cygwin's permission
> system... is there no uid 0 under cygwin?
Under winnt/2k, uid=0 is everyone 500 is root/Administrator.
> That is all dh_testroot is
> checking for, that it is or has been fooled into believing that the
> current user is uid 0. This is needed because tar also needs to be
> fooled into thinking it is running as uid 0 in order to create tar
> files with files in them that are owned by root or any other
> user/group
> than the current one. That is what all of this revolves around.
Sure, and I think we can just check for that. Very simple.
I have written to cygwin about this and you can find my question in the
cygwin list. I dont expect an answer soon.
>
> Also keep in mind that one day cygwin and windows may take the user
> permissions seriously. When that day comes do you want all your
> packages to suddenly stop working because you tried to take shortcuts
> now? I don't see how that helps anyone.
Under windows 95/98/Me there will never be any security. Under Win2k we
can have it, but most people dont use it under cygwin. Cygwin is not
secure. Period.
I want to create windows packages under debian and compile them under
cygwin if need be. But I dont have the time at work and it has to go
fast. The end result can be packaged into a MSI or an installer and
does not need either. And belive me, most windows users dont have tar
either!
>
> Aside, if tar under cygwin treats uid 500 as privileged and lets you
> create tar archives containing files with privileged privileges, then
> the thing to do would be to patch debhelper (what dh_testroot is a
> part
> of) to check for the possibility uid 500 on cygwin as passing the
> root
> check.
I will try that tomorrow at work.
Thanks for you help
Mike
=====
James Michael DuPont
http://introspector.sourceforge.net/
__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com
|
| 
