delorie.com/archives/browse.cgi | search |
Mailing-List: | contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm |
List-Subscribe: | <mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com> |
List-Archive: | <http://sources.redhat.com/ml/cygwin-developers/> |
List-Post: | <mailto:cygwin-developers AT sources DOT redhat DOT com> |
List-Help: | <mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs> |
Sender: | cygwin-developers-owner AT sources DOT redhat DOT com |
Delivered-To: | mailing list cygwin-developers AT sources DOT redhat DOT com |
Message-ID: | <010f01c100a4$9395f740$806410ac@local> |
From: | "Robert Collins" <robert DOT collins AT itdomain DOT com DOT au> |
To: | <cygwin-developers AT cygwin DOT com> |
Subject: | more security |
Date: | Sat, 30 Jun 2001 00:05:37 +1000 |
MIME-Version: | 1.0 |
X-Priority: | 3 |
X-MSMail-Priority: | Normal |
X-Mailer: | Microsoft Outlook Express 5.50.4522.1200 |
X-MimeOLE: | Produced By Microsoft MimeOLE V5.50.4522.1200 |
X-OriginalArrivalTime: | 29 Jun 2001 13:53:16.0242 (UTC) FILETIME=[D8A41B20:01C100A2] |
I just thought of a potential security hole - more stuff for the daemon. I'm mailing for archive, not to request or offer a fix. I also haven't checked the code due to being about to go to sleep... The delete-on-close queue has no way of verifying that the poster of an item there has the right to delete the file. sample exploit in theory: user program in sshd adds system critical files to the delete-on-close queue, without ever trying to open the files. Admin comes along and runs cygwin process that access said files (say just checking for #! even, and they get rm'd on close. Rob
webmaster | delorie software privacy |
Copyright © 2019 by DJ Delorie | Updated Jul 2019 |