This is the mail archive of the
cygwin-developers@cygwin.com
mailing list for the Cygwin project.
Re: handle protection - please comment
Hi!
Wednesday, 18 April, 2001 Corinna Vinschen vinschen@redhat.com wrote:
>> well, we can remove or restrict rights on hMainProcess, but it'll just
>> make exploit a bit harder.
>> for example, process A may need to open some sensitive file he has
>> access to, and process B will be able to duplicate it.
>> Or i'll wait till some process calls fork(), and duplicate child's handle
>> it's got from CreateProcess()
CV> Uhm, ok, but from my point of view it's an academic problem.
CV> The PROCESS_DUP_HANDLE permission on a process handle does _not_
CV> open up the other handles of a process if the access rights of
CV> these handles are set using appropriate values.
not academic, but rather practical. unfortunately. here's the
demonstration.
CV> For example process A has a handle H with ALL_ACCESS for the user
CV> of A and with R/O for the world. Giving it's process handle to
CV> process B of another user doesn't allow suddenly R/W access to
CV> process B. The user of B doesn't have that permission. So he's
CV> stuck at that point. It's in the responsibility of process A not
CV> to open up it's resources to others.
gcc -o /tmp/t.exe t.c
from admin account:
$ echo "secret info" > /tmp/secret
$ chmod 600 /tmp/secret
from normal user account start /tmp/t.exe
it'll print 'slave pid=<some pid>'
and blocks waiting for input.
then switch to admin account and run '/tmp/t.exe <slave_pid>'
it'll print 'master handle=<handle1> object handle=<handle2>'
switch back to client account and input <handle1> and <handle2>
values.
now look what /tmp/secret contains.
Egor. mailto:deo@logos-m.ru ICQ 5165414 FidoNet 2:5020/496.19
t.c