Mail Archives: cygwin-developers/2001/04/18/18:11:54
----- Original Message -----
From: "egor duda" <deo AT logos-m DOT ru>
To: "Corinna Vinschen" <cygwin-developers AT cygwin DOT com>
Sent: Thursday, April 19, 2001 4:57 AM
Subject: Re: handle protection - please comment
> Hi!
>
> Wednesday, 18 April, 2001 Corinna Vinschen vinschen AT redhat DOT com wrote:
>
> >> now look what /tmp/secret contains.
>
> CV> I didn't test it but I assume it contains "Kaboom!". Hmm. I'm
somewhat
> CV> distressed about that result. So the secure way to get a handle to
any
> CV> shared object is by accessing it using names as suggested by
Robert.
> CV> This doesn't apply to parent/child relations, obviously.
>
> yes. or via trusted server process running under administrator
> account. i suppose PSTORES.EXE (MS' "Protected storage service" is
> used for somthing like this).
Hmm.. could we use pstores?
> RC>> The thing egor as talking about was child process's needing to
read the
> RC>> parents open handles, and that programs than setuid are
apparently
> RC>> setting the perms to everyone, all to allow the child process
with it's
> RC>> different uid to read the handles. He was proposing a server
model,
>
> CV> Wouldn't that problem (which originally was related to ttys) be
resolved
> CV> if the master cares for the duplication?
>
> but slave may also care to not allow master to get into its address
> space or read/write its files. yeah, it's slave, but that doesn't mean
> it have no natural human (err, i mean process :-) ) rights.
Well actually :}As the parent can't launch a process in a higher context
that it is in..?
Hmm, but what about setuid applications, a hacked bash for instance
could launch ssh on the users request, and then get nasty...
I think it matchs the unix model though - runner beware.
>
> Egor. mailto:deo AT logos-m DOT ru ICQ 5165414 FidoNet
2:5020/496.19
>
>
>
- Raw text -