security hole in tty handling code

Robert Collins robert.collins@itdomain.com.au
Thu Mar 29 11:57:00 GMT 2001


----- Original Message -----
From: "Egor Duda" <deo@logos-m.ru>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: <cygwin-developers@cygwin.com>
Sent: Thursday, March 29, 2001 5:12 PM
Subject: Re: security hole in tty handling code


> Hi!
>
> Thursday, 29 March, 2001 Robert Collins robert.collins@itdomain.com.au
wrote:
>
> RC> Why not just set the permissions and let the client calls fail if
they
> RC> aren't from the same user?
>
> because this will break applications that change user context, such as
> sshd.

Oh. Is there someway we can accomplish the same effect without a server?
Or perhaps the applications can pickup the handles before they change
context?

> RC> I've heard that
> RC> "server" based solutions like you've put toghether usually fail in
> RC> terminal server environments...
>
> do you have any evidence? anywaym, i think it's probably easy to test.
>
> Egor.            mailto:deo@logos-m.ru ICQ 5165414 FidoNet
2:5020/496.19
>

Anecdotal at best. However I can pull together a term serv environment
if needed to help test.

One key issue is that you may/will need Global shared objects to make
the server accessible across all logged in user sessions.

Rob



More information about the Cygwin-developers mailing list