more security

Robert Collins robert.collins@itdomain.com.au
Fri Jun 29 07:03:00 GMT 2001


I just thought of a potential security hole - more stuff for the daemon. I'm
mailing for archive, not to request or offer a fix. I also haven't checked
the code due to being about to go to sleep...

The delete-on-close queue has no way of verifying that the poster of an item
there has the right to delete the file.

sample exploit in theory: user program in sshd adds system critical files to
the delete-on-close queue, without ever trying to open the files.

Admin comes along and runs cygwin process that access said files (say just
checking for #! even, and they get rm'd on close.

Rob



More information about the Cygwin-developers mailing list