This is the mail archive of the cygwin-patches@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Patch]: Improving tty_list security (part 1).


Now that the PROCESS_DUP_HANDLE security hole (part 1) is plugged,
the next easily exploitable security breach in the core of Cygwin lies
in the PROCESS_DUP_HANDLE privilege between parent and seteuid children.
<http://cygwin.com/ml/cygwin-developers/2003-09/msg00078.html>
That's close to the sig area currently being worked on by Chris,
so I won't touch it. 

Next is the tty_list. It is currently implemented as an array in
the cygwin_shared file mapping, which is writable by Everybody.

As requested, changes toward a secure implementation involve a series
of incremental patches. In fact this first one introduces
NO CHANGE in functionality nor in basic logic, only the level of 
abstraction is increased.

In particular all references to "cygwin_shared->ttys" have been
removed, except from two functions in tty.cc.

In addition a new class, "tinfo" has been defined. For the
moment it only includes a single member, which points to an 
element of cygwin_shared->tty.ttys, but it will eventually become
richer. It is shamelessly inspired by pinfo. 

To facilitate the review I would suggest starting with the change
in dcrto.cc to understand the logic. Significant edits are in tty.h,
tty.cc and fhandler_tty.cc. The rest is minor. I have run with
those changes for 6 weeks, both on NT4 and WinME.

The subsequent patches on this topic will be a lot smaller although
they will contain real improvements. 
 
Pierre

2003-12-16  Pierre Humblet <pierre.humblet@ieee.org>

	* fhandler.h: Include tty.h.
	(fhandler_termios::tc): Change type to tinfo.
	(fhandler_termios::get_ttyp): Adjust for new type of tc.
	(fhandler_tty_master::init): Add argument.
	* tty.h: Add _TTY_H guard.
	(tty_list::terminate): Delete.
	(tty_list::get_tty): Delete.
	(tty_list::allocate_tty): Change type and arguments.
	(tty_list::connect_tty): Ditto.
	(class tinfo): Create.
	(attach_tty): Delete declaration.
	(create_tty_master): Change argument type.
	* dcrt0.cc (do_exit): Use tinfo constructor instead of accessing
	cygwin_shared->tty directly.
	* exceptions.cc (ctrl_c_handler): Ditto.
	* fhandler_console.cc (tty_list::get_tty): Delete.
	* fhandler_termios.cc (fhandler_termios::tcinit): Adjust for new type of tc.
	* fhandler_tty.cc (fhandler_tty_master::init): Add argument. Use it instead
	of accessing cygwin_shared->tty directly.
	(fhandler_tty_slave::open): Use tinfo method to connect to tty.
	(fhandler_pty_master::open): Use tinfo method to attach to tty.
	(fhandler_pty_master::tcgetattr): Use get_ttyp () to access
cygwin_shared->tty.
	(fhandler_pty_master::tcsetattr): Ditto.
	* termios.cc: Include cygwin/version.h before fhandler.h.
	* tty.cc (tty_init): Reorganize to use a tinfo constructor.
	(create_tty_master): Change argument type, use it appropriately and pass it 
	to tty_master->init. Do not set myself->ctty.
	(attach_tty): Delete.
	(tty_terminate): Reorganize and merge with former tty_list::terminate. 
	Call logwtmp().
	(tty_list::terminate): Delete.
	(tty_list::connect_tty): Change type, add argument and reorganize to access
	cygwin_shared->tty directly.
	(tty_list::allocate_tty): Change type, add argument, reorganize to access 
	cygwin_shared->tty directly and pass argument to create_tty_master.
	

Attachment: tty.diff
Description: Text document


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]