This is the mail archive of the cygwin-developers mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Request for help debugging screen problem


Hi,

On 5/02/2010 3:46 PM, Corinna Vinschen wrote:
On Feb 5 10:32, Christopher Faylor wrote:
On Fri, Feb 05, 2010 at 04:28:26PM +0100, Corinna Vinschen wrote:
How exactly was the default mechanism supposed to be a security hole?
IIRC the idea was that the inferior process has PROCESS_DUP_HANDLE
permission on the tty master process.  That's by definition not a
security problem if the inferior process is running in the same user
context as the tty master process anyway.  So we just have to look at
the case of the inferior running in another user context:

- If the inferior process user is an admin user, there's also no
  security problem, because the admin user has by design other ways to
  exploit the tty master process.

- If the inferior process is running under a non-privileged account,
  then the security settings of the tty master process handles are
  marking the border.  If the security settings are correct, nothing bad
  should happen.  If the security settings are bad, it's a bug in Cygwin
  and should be fixed there.

Am I missing something?  If not, I don't see a reason to keep the
cygserver way of creating inferior process pty handles.

If we really want to make this more secure, there's very likely another
simple method to get the pipe handles without having to open the tty
master process with PROCESS_DUP_HANDLE access.  For instance, what if we
create pty pipes with the ability to take unlimited connections
(PIPE_UNLIMITED_INSTANCES), and then open the pty pipes by name?

I think that the tty stuff was added at my suggestion. For a while I thought that having a dedicated cygwin server would be a good idea. It could be used to mediate the allocation of ttys (and even fifos now that I think of it). I think the security hole is due to the shared memory region where the ttys are tracked but I think we've probably come a long way since the tty cygserver stuff was implemented.

So I vote to rip this out of cygwin.  I'll do that this weekend (I'll
have a lot of time on my hands) if you agree.

In theory, yes, I would be glad. But please let's wait until we have figured out this pty problem first.

Do you think opening the pty by name and unlimited instances for pty
pipes would be a feasible approach?  Obviously the OpenProcess is
making some problems starting with Vista.

Do you think it is something to do with this (from http://msdn.microsoft.com/en-us/library/ms684320%28VS.85%29.aspx):


Remarks

To open a handle to another local process and obtain full access rights, you must enable the SeDebugPrivilege privilege. For more information, see Changing Privileges in a Token.

Would this be in the user token? How can I list which privileges are contained in the token for the mintty session and the ssh session?

Sorry, I'm scrambling here to understand this issue.

Regards,
Shaddy




Corinna



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]