Mailing-List:	contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin-developers/>
List-Post:	<mailto:cygwin-developers AT sources DOT redhat DOT com>
List-Help:	<mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-developers-owner AT sources DOT redhat DOT com
Delivered-To:	mailing list cygwin-developers AT sources DOT redhat DOT com
Message-ID:	<010f01c100a4$9395f740$806410ac@local>
From:	"Robert Collins" <robert DOT collins AT itdomain DOT com DOT au>
To:	<cygwin-developers AT cygwin DOT com>
Subject:	more security
Date:	Sat, 30 Jun 2001 00:05:37 +1000
MIME-Version:	1.0
X-Priority:	3
X-MSMail-Priority:	Normal
X-Mailer:	Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE:	Produced By Microsoft MimeOLE V5.50.4522.1200
X-OriginalArrivalTime:	29 Jun 2001 13:53:16.0242 (UTC) FILETIME=[D8A41B20:01C100A2]

I just thought of a potential security hole - more stuff for the daemon. I'm
mailing for archive, not to request or offer a fix. I also haven't checked
the code due to being about to go to sleep...

The delete-on-close queue has no way of verifying that the poster of an item
there has the right to delete the file.

sample exploit in theory: user program in sshd adds system critical files to
the delete-on-close queue, without ever trying to open the files.

Admin comes along and runs cygwin process that access said files (say just
checking for #! even, and they get rm'd on close.

Rob

- Raw text -