Re: compinit insecure warning with trusted user

zsh-workers
 help / color / mirror / code / Atom feed

From: Bart Schaefer <schaefer@brasslantern.com>
To: zsh-workers@zsh.org
Cc: Stephen Romansky <sk.romansky@gmail.com>
Subject: Re: compinit insecure warning with trusted user
Date: Mon, 8 Jun 2015 00:48:47 -0700	[thread overview]
Message-ID: <150608004847.ZM27819@torch.brasslantern.com> (raw)
In-Reply-To: <CAB-nOxbtMwx2jP-Cw5eQNQ6GvqtaauoNuHoPEA9ecxV3wzoZsA@mail.gmail.com>

On Jun 7,  1:09pm, Stephen Romansky wrote:
}
} Zsh in owned by an admin account that isn't named root, and is not the
} current user.
} 
} Now,
} http://zsh.sourceforge.net/Doc/Release/Completion-System.html#Use-of-compinit
} states that the *compaudit* will throw the warning if the completion system
} is not owned by root or the current user. Which is the case I have.

That paragraph is missing one detail, which is that compaudit also tries
to identify the user that owns the zsh binary itself, and allows fpath
directories to be owned by that user as well as root or the current user.

Do you in fact have a case where the files in fpath are not owned by the
same user as the zsh binary?  If the binary and the function library ARE
owned by the same user, perhaps there is an ownership test you can help
us improve.  Currently it examines
    /proc/$$/exe
    /proc/$$/object/a.out

There's also some special code for debian.  If your situation is common on
some particular distribution, perhaps we need to special-case that, too.

} So, can the admin and/or wheel group be added to this set of
} exceptions? Or, is it simpler to just add the ignore flag to
} *compinit* on the system in question?

You probably want "compinit -u" (the "use the library anyway" flag) rather
than the ignore flag.

next prev parent reply	other threads:[~2015-06-08  7:49 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-06-07 19:09 Stephen Romansky
2015-06-08  7:48 ` Bart Schaefer [this message]
2015-06-08 23:25   ` Stephen Romansky

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=150608004847.ZM27819@torch.brasslantern.com \
    --to=schaefer@brasslantern.com \
    --cc=sk.romansky@gmail.com \
    --cc=zsh-workers@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).