Mail Archives: cygwin-developers/2001/04/18/06:12:00
----- Original Message -----
From: "Corinna Vinschen" <vinschen AT redhat DOT com>
To: <cygwin-developers AT cygwin DOT com>
Sent: Wednesday, April 18, 2001 8:05 PM
Subject: Re: handle protection - please comment
> On Wed, Apr 18, 2001 at 10:54:06AM +1000, Robert Collins wrote:
> > This is just a follow up to Egor's proposed server for handle
control.
> >
> > On NT/2K, it should give exactly the desired permissions, no more,
no
> > less.
>
> For that purpose there are two functions declared in security.h:
>
> PSECURITY_ATTRIBUTES sec_user (PVOID sa_buf, PSID sid2 = NULL, BOOL
inherit = TRUE);
> PSECURITY_ATTRIBUTES sec_user_nih (PVOID sa_buf, PSID sid2 = NULL);
>
> For the usage have a look into sigproc.cc, function `getsem' or
> fork.cc, function `fork_parent'.
>
> Corinna
The problem with them is that they don't provide any granularity. Using
alloc_sd, we can specify the access appropriately for each object. I.E.
shmget takes a flags parameter that includes a file mode (ie 0666). How
do we get an NT security descriptor for 0666 to pass to
CreateFileMapping for instance?
The thing egor as talking about was child process's needing to read the
parents open handles, and that programs than setuid are apparently
setting the perms to everyone, all to allow the child process with it's
different uid to read the handles. He was proposing a server model,
which I don't like because
a) it adds complexity and overhead
b) I don't believe _we_ should be doing the access checking, we should
be passing that back to NT to do.
Rob
- Raw text -