Fri Jun 29 07:03:00 GMT 2001
I just thought of a potential security hole - more stuff for the daemon. I'm
mailing for archive, not to request or offer a fix. I also haven't checked
the code due to being about to go to sleep...
The delete-on-close queue has no way of verifying that the poster of an item
there has the right to delete the file.
sample exploit in theory: user program in sshd adds system critical files to
the delete-on-close queue, without ever trying to open the files.
Admin comes along and runs cygwin process that access said files (say just
checking for #! even, and they get rm'd on close.
More information about the Cygwin-developers