wezm.net/v1/content/technical/2008/09/zsh-cygwin-and-insecure-directories.html

45 lines
2.2 KiB
HTML

In order to cope with having to use Windows at work I run Cygwin. My shell of choice is zsh. For whatever reason the Cygwin package of zsh installs with a series of directories that the zsh completion system deems to be insecure and it makes sure you know this. Each time a new shell is opened (in my case through a Windows native rxvt terminal) I would receive the following warning:
Ignore insecure directories and continue [ny]?
Pressing 'y' becomes a bit tedious after a while so I decided to track down these insecure directories and fix them.
<!--more-->
<tt>man zshcompsys</tt> reveals the following about the security check:
> For security reasons compinit also checks if the completion system
> would use files not owned by root or by the current user, or files in
> directories that are world- or group-writable or that are not owned by
> root or by the current user. If such files or directories are found,
> compinit will ask if the completion system should really be used. To
> avoid these tests and make all files found be used without asking, use
> the option -u, and to make compinit silently ignore all insecure files
> and directories use the option -i. This security check is skipped
> entirely when the -C option is given.
>
> The security check can be retried at any time by running the function
> compaudit.
Running compaudit revealed the following:
% compaudit
There are insecure directories:
/usr/share/zsh/site-functions
/usr/share/zsh/4.3.4/functions
/usr/share/zsh
/usr/share/zsh/4.3.4
Examining the permissions on these directories showed they were all group writable.
% ls -ld /usr/share/zsh/site-functions
drwxrwx---+ 2 wmoore mkgroup-l-d 0 Sep 4 10:54 /usr/share/zsh/site-functions
Stripping them of the group write permission fixed the problem and made starting a new shell a little more pleasant.
% chmod g-w /usr/share/zsh/site-functions /usr/share/zsh/4.3.4/functions /usr/share/zsh /usr/share/zsh/4.3.4
% compaudit
%
**Update:** _kylexlau_ provides this one line solution for correcting to permissions on each of the directories that compaudit returns:
compaudit | xargs chmod g-w