QA /technical/2008/09/zsh-cygwin-and-insecure-directories/

This commit is contained in:
Wesley Moore 2010-03-22 07:50:51 +11:00
parent 0e0fc9552e
commit c5e2c2e9f8
2 changed files with 32 additions and 31 deletions

View file

@ -1,44 +1,45 @@
In order to cope with having to use Windows at work I run Cygwin. My shell of choice is zsh. For whatever reason the Cygwin package of zsh installs with a serious of directories that the zsh completion system deems to be insecure and it makes sure you know this. Each time a new shell is opened (in my case through a Windows native rxvt terminal) I would receive the following warning:
In order to cope with having to use Windows at work I run Cygwin. My shell of choice is zsh. For whatever reason the Cygwin package of zsh installs with a series of directories that the zsh completion system deems to be insecure and it makes sure you know this. Each time a new shell is opened (in my case through a Windows native rxvt terminal) I would receive the following warning:
<code>Ignore insecure directories and continue [ny]?</code>
Ignore insecure directories and continue [ny]?
Pressing 'y' becomes a bit tedious after a while so I decided to track down these insecure directories and fix them.
<!--more-->
<tt>man zshcompsys</tt> reveals the following about the security check:
<blockquote>For security reasons compinit also checks if the completion system
would use files not owned by root or by the current user, or files in
directories that are world- or group-writable or that are not owned by
root or by the current user. If such files or directories are found,
compinit will ask if the completion system should really be used. To
avoid these tests and make all files found be used without asking, use
the option -u, and to make compinit silently ignore all insecure files
and directories use the option -i. This security check is skipped
entirely when the -C option is given.
The security check can be retried at any time by running the function
compaudit.
</blockquote>
> For security reasons compinit also checks if the completion system
> would use files not owned by root or by the current user, or files in
> directories that are world- or group-writable or that are not owned by
> root or by the current user. If such files or directories are found,
> compinit will ask if the completion system should really be used. To
> avoid these tests and make all files found be used without asking, use
> the option -u, and to make compinit silently ignore all insecure files
> and directories use the option -i. This security check is skipped
> entirely when the -C option is given.
>
> The security check can be retried at any time by running the function
> compaudit.
Running compaudit revealed the following:
<code>% compaudit
% compaudit
There are insecure directories:
/usr/share/zsh/site-functions
/usr/share/zsh/4.3.4/functions
/usr/share/zsh
/usr/share/zsh/4.3.4</code>
/usr/share/zsh/4.3.4
Examining the permissions on these directories showed they were all group writable.
<code>% ls -ld /usr/share/zsh/site-functions
drwxrwx---+ 2 wmoore mkgroup-l-d 0 Sep 4 10:54 /usr/share/zsh/site-functions</code>
% ls -ld /usr/share/zsh/site-functions
drwxrwx---+ 2 wmoore mkgroup-l-d 0 Sep 4 10:54 /usr/share/zsh/site-functions
Stripping them of the group write permission fixed the problem and made starting a new shell a little more pleasant.
<code>% chmod g-w /usr/share/zsh/site-functions /usr/share/zsh/4.3.4/functions /usr/share/zsh /usr/share/zsh/4.3.4
% chmod g-w /usr/share/zsh/site-functions /usr/share/zsh/4.3.4/functions /usr/share/zsh /usr/share/zsh/4.3.4
% compaudit
%
</code>
<strong>Update:</strong> kylexlau provides this one line solution for correcting to permissions on each of the directories that compaudit returns:
<code>compaudit | xargs chmod g-w</code>
**Update:** _kylexlau_ provides this one line solution for correcting to permissions on each of the directories that compaudit returns:
compaudit | xargs chmod g-w

View file

@ -95,8 +95,8 @@ sup {
font-size: 0.8em;
}
pre,code {
font-size: 12px;
pre,code,tt {
font-size: 13px;
font-family: Consolas, "Andale Mono", "Liberation Mono", Menlo, Monaco, "Bitstream Vera Sans Mono", fixed;
}