This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

suid bit on executables?



Hello All,

I'm looking for an update on this problem, please...

As background:

Nearly three years ago now I got involved with Cygwin for a time and was
quite keen on security issues related to Cygwin's launching of programs
which should run as someone other than the user who requested the program
be run. On Unix systems (including Linux), there's a nifty feature called
the suid bit which one can set in the file system on executable programs
(always binaries and often scripts) in which the program in question will
run as the file owner, not the user - Cygwin supports the setting of this
bit but does not (did not?) honor it. This is distinctly different than a
program explicitly calling 'setuid' as using this feature lets _any_
program run as the file owner, not just special ones that were coded to
change user contexts.

At the time, this was a real work-in-progress and there was a new thing
called the cygserver which was just at the bleeding edge. I really wanted
to get involved and solve this but my management said no - and there's no
free-time in my life anymore so that was that.

A little over a year ago, I poked my nose under the tent to inquire about
this once more and in the interrim there had been a new cygserver and a
new ssh daemon, and I was very happy with the advance, but still things
were short of the SUID bit being honored...

Now, I read in the archives about something, apparently upcoming, called
cygdaemon... I read hints that cygdaemon helps address this problem.
Without digging into source code or anything, my guess would be that it's
a bit like cygserver but it's specifically intended for this on-the-fly
capability yet overcome Window's demand that there be a process with
SYSTEM privileges to do this.

I would love an update... Is this what cygdaemon is all about? Any chance
there's some beta code? (I note with little surprise that there's still
nothing in the documentaiton about cygserver, so of course I don't expect
anything on cygdaemon, either!)

If anyone can please comment, I'm all ears. I was just painfully reminded
today how really deeply needed this functionality is!

Thanks,
Richard

-- 
Richard Troy, Chief Scientist
Science Tools Corporation
rtroy@ScienceTools.com, 510-567-9957, http://ScienceTools.com/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]