| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=OA4iKvV40ylFTBwjv2kkfuOaRWkHWEdZNjO777egdRYikmJW7GZs/ | |
| bWlYDSf9gZqQgqZ4VCNyzW+l1hiZf2sylRsOFai4xhdMV4RC9h+Xe1Wl8MVkJ5eL | |
| K3oEAxWbCwF0ePocUxILTGw8KwQdwVr/BkjbVAG3rAu1RCWEBPyJQg= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=tp4cfqpOYVxcQs7mwRAmSxKYTKU=; b=ZJyyImauwlHwie52aXRnj34M3Xot | |
| k80dq9m9PxInQ7sfNQdKIgoQe5U+QRY2DuqJLV4Wl5PvvjND71rh2krhrBlZi424 | |
| C4KZiiVus7W5+G20bR8DEvpJkq6uoUC5xVqMdhZ3dy3i/1oAFfvxQm9Yowb0Cepq | |
| Zm47M3KWFD5O7RI= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 |
| X-HELO: | calimero.vinschen.de |
| Date: | Thu, 9 Oct 2014 12:03:17 +0200 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Cannot exec() program outside of /bin if PATH is unset |
| Message-ID: | <20141009100317.GI29235@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <54135451 DOT 3060902 AT t-online DOT de> <601154762 DOT 20140913012935 AT yandex DOT ru> <541378C4 DOT 6030705 AT t-online DOT de> <54137BDE DOT 6040907 AT redhat DOT com> <54137C7F DOT 1040507 AT redhat DOT com> <541415B1 DOT 8090500 AT t-online DOT de> <541698CC DOT 7090802 AT lysator DOT liu DOT se> <5416F946 DOT 7010905 AT t-online DOT de> <20141008134106 DOT GF29235 AT calimero DOT vinschen DOT de> <5435714D DOT 6060206 AT t-online DOT de> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <5435714D.6060206@t-online.de> |
| User-Agent: | Mutt/1.5.23 (2014-03-12) |
--6lCXDTVICvIQMz0h Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Oct 8 19:15, Christian Franke wrote: > Corinna Vinschen wrote: > >On Sep 15 16:35, Christian Franke wrote: > >>... > >I'm somewhat reluctant to add a call to SetDllDirectory to the Cygwin > >DLL for two reasons. > > > >- Calling SetDllDirectory with an explicit dir doesn't just add this dir > > to the search path, it also removes the CWD from the search path. > > While I agree that this is a good thing from a security POV, can we be > > sure that this behaviour isn't needed somewhere, by somebody? > > > >- The fact that SetDllDirectory affects searching linked DLLs in calls > > to CreateProcess is undocumented. Per the original MSDN pages, > > SetDllDirectory affects calls to LoadLibrary and LoadLibraryEx, but > > not linked DLLs when starting a child process. The latter is only > > mentioned in a Community Addition: > > > > http://msdn.microsoft.com/en-us/library/windows/desktop/ms686203%28v= =3Dvs.85%29.aspx > > > >Having said that, we can certainly test this, but I'm wondering > >if an upstream Cygwin patch might be ok. Something similar has been > >applied to the portable OpenSSH repository years ago, so there's > >precedent. >=20 > We could leave this open for now. I already added an easy workaround to > postfix > (add PATH=3D/usr/bin to import/export_environment default settings). Ok. Or... hmm. The fact that using SetDllDirectory disallows searching the CWD got me thinking twice. Security-wise it would really be the right thing to do. Usually DLLs are in defined search paths: - Application dir - Application defined dirs - System dirs So, what scenario would actually break by removing CWD from the search path? Running tests in an libtoolized project dir, perhaps? Is that a valid concern or did libtool already take care of this? Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --6lCXDTVICvIQMz0h Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUNl1lAAoJEPU2Bp2uRE+gMmkQAIqDyV6U/xrPJOODlpDgIaLd J+rFEPLsejuxMnHYP1Svt2YIPYqC2BhZ7d6+LFktqPEc6+f8OMlNz1ElK5Tdw5cN /BKmEstDUc44Tlc54DU/cJNz3dWfXAPBbnPNvgSmMMCYaCMNzPvTaQW0MUPmuDvA +0THY6rqmyyVb9Bjd/nal8Yu/+OwjiF+HzngwpH2YNZebRT3YcOiTj+DZCiW5vB4 6R4Mjxe6es51YsGqoVfr29AHjhW74D6kJYZnd13IgSzJSDIZI2hvOvfr9Iuow4gx 8jrF0VBCM/b2KosI/eAW9yRQAcQnX/vKjEi938BUzhF3TR8JDls1VHtz8Ehm3auJ S/0Sux0Lkt9uYNbG8+u/taRI2teGSHgV5efQb/APSBKHz4OSWQGS7Ezrp4WEpy5C GziYq2T9KRVs7PSvyhHkmGypmt1PLU1uBX/A2biXql4yavHEktKX00JfL9W/bvbN J/6f7xaMnDIRYR8GpymlmD7EywjvODxaBifUYyaJKXgSU9djyjxOEDuHx7pHWyfg 7on6zDQTFV9gDnK2TTHBQJfcl82BnJ1Yxna5ZgqgoOsekX5yl6uFJXaJJTCS3oFM NF1S2BrMAijaGriOLYgeiQYV0ePb4LuolU1gjjQc3zlgk0NN6EBwIxwn+6oZ8DqK v5NJaufazzgzsaiRdY5v =TQ8V -----END PGP SIGNATURE----- --6lCXDTVICvIQMz0h--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |