Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: startup delay from compinit



On Oct 8, 11:29am, Anthony Heading wrote:
} Subject: Re: startup delay from compinit
}
} tried to nudge compaudit to accept that files which we have
} carefully installed with a special "application" group are
} _not_ in fact insecure.

This sounds like a job for a zstyle.  "trusted-groups" or some such?
I'll think about it and perhaps send a patch to zsh-workers later.

} Thanks for the help - I'll have to mull how best to fix
} this - turning off security measures (i.e. using -u here)
} isn't normally appealing on principle, but when the checking
} rules admit to being so arbitrary and system-conditional
} they're clearly not always going to work.

The major problem with compaudit is of course that if you compromise
the directory where compaudit itself lives, then everything else it
does is suspect.

Also, I recently noticed that compaudit is not handling symbolic links
properly.  Patch below.
 
} PS. Small patch for conceptual anachronism.  (Young people
} today blaa blaa, think they invented everything...)  It's
} actually misleading, because it doesn't appear to apply
} only to RedHat, yet there is code which is Debian specific
} in the file.

There's really a vendor other than RedHat who regularly creates a group
for each user with the same name as the username?  Who?  In the early
1990s I was porting software to something like 25 unix variants, and I'd
never encountered it before RedHat 5 came out.

In any case that comment is there because I ran into issues with the
per-user groups on my RedHat system and wrote that code to compensate.
The comment as it stands is historically accurate; I deliberately made
the code not care if the system actually was RedHat, but RedHat is the
reason it's there.  The Debian-specific stuff was added much later, by
someone else.

Here's the symlinked fpath directories patch.  Essentially, we have to
follow symlinks when testing the files themselves, and appending /.. to
a symlink will find the parent of the directory to which the symlink
refers, rather than the directory containing the symlink -- the latter
is really the one we care about.

Index: Completion/compaudit
===================================================================
--- compaudit	15 Sep 2001 19:16:20 -0000	1.3
+++ compaudit	8 Oct 2003 03:19:16 -0000
@@ -102,11 +102,11 @@
 #   (including zwc files)
 
 if [[ $GROUP == $LOGNAME && ( -z $GROUPMEM || $GROUPMEM == $LOGNAME ) ]]; then
-  _i_wdirs=( ${^fpath}(Nf:g+w:^g:${GROUP}:,f:o+w:,^u0u${EUID})
-             ${^fpath}/..(Nf:g+w:^g:${GROUP}:,f:o+w:,^u0u${EUID}) )
+  _i_wdirs=( ${^fpath}(N-f:g+w:^g:${GROUP}:,-f:o+w:,-^u0u${EUID})
+             ${^fpath:h}(N-f:g+w:^g:${GROUP}:,-f:o+w:,-^u0u${EUID}) )
 else
-  _i_wdirs=( ${^fpath}(Nf:g+w:,f:o+w:,^u0u${EUID})
-             ${^fpath}/..(Nf:g+w:,f:o+w:,^u0u${EUID}) )
+  _i_wdirs=( ${^fpath}(N-f:g+w:,-f:o+w:,-^u0u${EUID})
+             ${^fpath:h}(N-f:g+w:,-f:o+w:,-^u0u${EUID}) )
 fi
 
 if [[ -f /etc/debian_version ]]
@@ -115,8 +115,8 @@
 _i_wdirs=( ${_i_wdirs:#/usr/local/*} ${^_i_ulwdir}(Nf:g+ws:^g:staff:,f:o+w:,^u0) )
 fi
 
-_i_wdirs=( $_i_wdirs ${^fpath}.zwc^([^_]*|*~)(N^u0u${EUID}) )
-_i_wfiles=( ${^fpath}/^([^_]*|*~)(N^u0u${EUID}) )
+_i_wdirs=( $_i_wdirs ${^fpath}.zwc^([^_]*|*~)(N-^u0u${EUID}) )
+_i_wfiles=( ${^fpath}/^([^_]*|*~)(N-^u0u${EUID}) )
 
 case "${#_i_wdirs}:${#_i_wfiles}" in
 (0:0) _i_q= ;;



Messages sorted by: Reverse Date, Date, Thread, Author