This is the mail archive of the
mailing list for the Cygwin project.
Re: Patch to pass file descriptors
"Corinna Vinschen" <email@example.com> wrote:
> More problematic is the approach to use cygserver for this. I've
> to Chris about passing descriptors and we agree in that we want to
> under all circumstances to find a solution which doesn't need
I thought that the main reason to use cygserver for this is for
security reasons. Your final paragraph mentions this issue but it's
not clear whether it's a complete solution (and I'm not fully up to
speed on the NT security model, so I've no idea). One issue tho' is
that you'll have to create the shared memory segment with global read
(and write) permissions since you've no idea of the security level of
the receiving process. If the sender then puts its process handle,
with the PROCESS_DUP_HANDLE privilege, into that shared memory, any
process on the system can read the shared memory and now has access to
*all* of the sender's handles (i.e., just run through all the small
integers running DuplicateHandle on them). You could put some
obfuscation into the system by generating random names for the shared
memory segment but that's still not ideal.
It's also not clear to me how secure cygwin is intended to be: I
assume it should be no less secure than the underlying NT system, but
perhaps I've the wrong end of the stick here. But if such security is
the aim, it can't be achieved through this approach (AFAICS etc.).
In general, I thought that cygserver was intended for all such
inter-process communication to get around just these sort of problems.
(Not that I can see how to get file descriptor passing to work
properly via cygserver either, but I've not thought too much about it
I'd be interested to see a good solution to this sort of problem.