This is the mail archive of the cygwin-developers mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Request for help debugging screen problem


On Feb  5 10:32, Christopher Faylor wrote:
> On Fri, Feb 05, 2010 at 04:28:26PM +0100, Corinna Vinschen wrote:
> >How exactly was the default mechanism supposed to be a security hole?
> >IIRC the idea was that the inferior process has PROCESS_DUP_HANDLE
> >permission on the tty master process.  That's by definition not a
> >security problem if the inferior process is running in the same user
> >context as the tty master process anyway.  So we just have to look at
> >the case of the inferior running in another user context:
> >
> >- If the inferior process user is an admin user, there's also no
> >  security problem, because the admin user has by design other ways to
> >  exploit the tty master process.
> >
> >- If the inferior process is running under a non-privileged account,
> >  then the security settings of the tty master process handles are
> >  marking the border.  If the security settings are correct, nothing bad
> >  should happen.  If the security settings are bad, it's a bug in Cygwin
> >  and should be fixed there.
> >
> >Am I missing something?  If not, I don't see a reason to keep the
> >cygserver way of creating inferior process pty handles.
> >
> >If we really want to make this more secure, there's very likely another
> >simple method to get the pipe handles without having to open the tty
> >master process with PROCESS_DUP_HANDLE access.  For instance, what if we
> >create pty pipes with the ability to take unlimited connections
> >(PIPE_UNLIMITED_INSTANCES), and then open the pty pipes by name?
> 
> I think that the tty stuff was added at my suggestion.  For a while I
> thought that having a dedicated cygwin server would be a good idea.  It
> could be used to mediate the allocation of ttys (and even fifos now
> that I think of it).  I think the security hole is due to the shared
> memory region where the ttys are tracked but I think we've probably
> come a long way since the tty cygserver stuff was implemented.
> 
> So I vote to rip this out of cygwin.  I'll do that this weekend (I'll
> have a lot of time on my hands) if you agree.

In theory, yes, I would be glad.  But please let's wait until we have
figured out this pty problem first.

Do you think opening the pty by name and unlimited instances for pty
pipes would be a feasible approach?  Obviously the OpenProcess is
making some problems starting with Vista.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]