Re: Usage of dpkg under cygwin

Wed, 09 Oct 2002 15:45:29 -0500 


On Wednesday, October 9, 2002, at 02:51 PM, James Michael DuPont wrote:


If the current user has "the appropriate access" as I believe the
previous
poster defines it, the packager can easily give the files the correct
ownership.

But really, isn't it silly to demand privileges just to write the
correct uids
to an archive? It's not like the OS forbids you to create archives
with any
contents you like. This hokus pokus is just because we want to use
the standard
tar command, isn't it?
Well if the cygwin port is ever to be taken serious in the debian community then it needs to take security as seriously as the rest of debian does. Don't let Microsoft negligence with security pollute the goals and purpose of this debian project. It should aspire to be better, not just average, then what is available now. I know one of my reasons for choosing debian is better security.</soapbox>
I suppose I may not have a clear understanding of cygwin's permission system... is there no uid 0 under cygwin? That is all dh_testroot is checking for, that it is or has been fooled into believing that the current user is uid 0. This is needed because tar also needs to be fooled into thinking it is running as uid 0 in order to create tar files with files in them that are owned by root or any other user/group than the current one. That is what all of this revolves around.
Also keep in mind that one day cygwin and windows may take the user permissions seriously. When that day comes do you want all your packages to suddenly stop working because you tried to take shortcuts now? I don't see how that helps anyone.
Aside, if tar under cygwin treats uid 500 as privileged and lets you create tar archives containing files with privileged privileges, then the thing to do would be to patch debhelper (what dh_testroot is a part of) to check for the possibility uid 500 on cygwin as passing the root check. 

--
Paul Baker
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." 
         -- Benjamin Franklin, 1759

GPG Key: http://homepage.mac.com/pauljbaker/public.asc

Reply via email to