handle protection - please comment

Corinna Vinschen vinschen@redhat.com
Wed Apr 18 11:29:00 GMT 2001

On Wed, Apr 18, 2001 at 08:50:20PM +0400, egor duda wrote:
> CV> Uhm, ok, but from my point of view it's an academic problem.
> CV> The PROCESS_DUP_HANDLE permission on a process handle does _not_
> CV> open up the other handles of a process if the access rights of
> CV> these handles are set using appropriate values.
> not academic, but rather practical. unfortunately. here's the
> demonstration.
> CV> For example process A has a handle H with ALL_ACCESS for the user
> CV> of A and with R/O for the world. Giving it's process handle to
> CV> process B of another user doesn't allow suddenly R/W access to
> CV> process B. The user of B doesn't have that permission. So he's
> CV> stuck at that point. It's in the responsibility of process A not
> CV> to open up it's resources to others.
> gcc -o /tmp/t.exe t.c
> from admin account:
> $ echo "secret info" > /tmp/secret
> $ chmod 600 /tmp/secret
> from normal user account start /tmp/t.exe
> it'll print 'slave pid=<some pid>'
> and blocks waiting for input.
> then switch to admin account and run '/tmp/t.exe <slave_pid>'
> it'll print 'master handle=<handle1> object handle=<handle2>'
> switch back to client account and input <handle1> and <handle2>
> values.
> now look what /tmp/secret contains.

I didn't test it but I assume it contains "Kaboom!". Hmm. I'm somewhat
distressed about that result. So the secure way to get a handle to any
shared object is by accessing it using names as suggested by Robert.
This doesn't apply to parent/child relations, obviously.

RC> The thing egor as talking about was child process's needing to read the
RC> parents open handles, and that programs than setuid are apparently
RC> setting the perms to everyone, all to allow the child process with it's
RC> different uid to read the handles. He was proposing a server model,

Wouldn't that problem (which originally was related to ttys) be resolved
if the master cares for the duplication?


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

More information about the Cygwin-developers mailing list