This is the mail archive of the cygwin-patches@cygwin.com mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Each Cygwin process publishes information about itself (e.g. pid, ppid, uid, gid, ...) in a _pinfo file mapping. Currently Everyone has write access to the _pinfo file mapping. Thus Everyone can change a process uid and gid. By changing its uid and gid, one can trick a daemon into logging in a user with a SYSTEM access token. I have not examined the security risk involved in being able to change the other members of _pinfo. As for the mount file mapping, a safe solution relies on protecting the mapping with appropriate security attributes. Everyone should have Read access while RW access should only be given to the current user, Administrators and System. Processes that only need to read information will open the _pinfo mapping in read only mode. It will take several incremental patches to reach this goal. This patch accomplishes a first step: pinfo::init will open a _pinfo mapping in RW mode only if it would create the mapping or if the new flag PID_MAP_RW is set. The flag PID_MAP_RW is added in the few pinfo constructors that need to be write into _pinfo if it exists. I hope not to have forgotten any. 2003-09-11 Pierre Humblet <pierre.humblet@ieee.org> * include/sys/cygwin.h: Rename PID_UNUSED to PID_MAP_RW. * pinfo.cc (pinfo_init): Initialize myself->gid. (pinfo::init): Create the "access" variable, set it appropriately and use it to specify the requested access. * exceptions.cc (sig_handle_tty_stop): Add PID_MAP_RW in pinfo parent. * signal.cc (kill_worker): Ditto for pinfo dest. * syscalls.cc (setpgid): Ditto for pinfo p.
Attachment:
pinfo.diff
Description: Text document
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |