This is the mail archive of the
cygwin-developers
mailing list for the Cygwin project.
Re: Request for help debugging screen problem
On Fri, Feb 05, 2010 at 04:28:26PM +0100, Corinna Vinschen wrote:
>On Feb 5 10:00, Christopher Faylor wrote:
>> Ah, right. So, I have never debugged the tty handling in cygserver. Is
>
>Same here.
>
>> this the root cause of some of the screen error reports?
>
>I can't tell about the screen problem, but I'm wondering for a while if
>the tty handle stuff in Cygserver is really required, or if we should
>drop this code.
>
>How exactly was the default mechanism supposed to be a security hole?
>IIRC the idea was that the inferior process has PROCESS_DUP_HANDLE
>permission on the tty master process. That's by definition not a
>security problem if the inferior process is running in the same user
>context as the tty master process anyway. So we just have to look at
>the case of the inferior running in another user context:
>
>- If the inferior process user is an admin user, there's also no
> security problem, because the admin user has by design other ways to
> exploit the tty master process.
>
>- If the inferior process is running under a non-privileged account,
> then the security settings of the tty master process handles are
> marking the border. If the security settings are correct, nothing bad
> should happen. If the security settings are bad, it's a bug in Cygwin
> and should be fixed there.
>
>Am I missing something? If not, I don't see a reason to keep the
>cygserver way of creating inferior process pty handles.
>
>If we really want to make this more secure, there's very likely another
>simple method to get the pipe handles without having to open the tty
>master process with PROCESS_DUP_HANDLE access. For instance, what if we
>create pty pipes with the ability to take unlimited connections
>(PIPE_UNLIMITED_INSTANCES), and then open the pty pipes by name?
I think that the tty stuff was added at my suggestion. For a while I
thought that having a dedicated cygwin server would be a good idea. It
could be used to mediate the allocation of ttys (and even fifos now
that I think of it). I think the security hole is due to the shared
memory region where the ttys are tracked but I think we've probably
come a long way since the tty cygserver stuff was implemented.
So I vote to rip this out of cygwin. I'll do that this weekend (I'll
have a lot of time on my hands) if you agree.
cgf