DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=wDQmFxrdrQuLDWr7dWb1/Zbriaj+/D59rQCPu9vTIk6
	znIbOLMDfhUjVVi+b3bWMYSSXbljYK8yrFGU3iHXwq3a2wPCMFAIxja5cAth3mCR
	kYTQxWaOoHDATW0sSMaPlKktxT9t3/SBN6XjagIjHUO7u8UDbTPiJD/L4nfJUHDA
	=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Message-ID: <5416F946.7010905@t-online.de>
Date: Mon, 15 Sep 2014 16:35:50 +0200
From: Christian Franke <Christian.Franke@t-online.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1
MIME-Version: 1.0
To: cygwin@cygwin.com
Subject: Re: Cannot exec() program outside of /bin if PATH is unset
References: <5413271B.1010109@t-online.de> <54134A83.80107@redhat.com> <54135451.3060902@t-online.de> <601154762.20140913012935@yandex.ru> <541378C4.6030705@t-online.de> <54137BDE.6040907@redhat.com> <54137C7F.1040507@redhat.com> <541415B1.8090500@t-online.de> <541698CC.7090802@lysator.liu.se>
In-Reply-To: <541698CC.7090802@lysator.liu.se>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Peter Rosin wrote:
> On 2014-09-13 12:00, Christian Franke wrote:
>> Note that setting PATH=/bin on Cygwin does not fix the security problem in the DLL search order. Even with "SafeDllSearchMode" enabled, the current directory is always checked before PATH. Running some Cygwin program from /usr/sbin, /usr/local/bin, /usr/libexec, ... would load a possible malicious cyg*.dll from current directory regardless of PATH setting. Only programs in /bin are safe.
>>
>> Using SetDllDirectory("c:\\cygwin\\bin") somewhere in cygwin1.dll would fix this also.
> How could a call inside a DLL fix the library search order used
> to find that same DLL? Yes, it is possible (or likely) that
> SetDllDirectory fixes the immediate problem for processes that
> are started *by* cygwin1.dll, but it is not effective for Cygwin
> processes that are started by some direct use of the Win32 API.

Of course, and the same is true for any non-Cygwin program. The security 
fix is effective only for any CreateProcess()/LoadLibrary() call within 
the process which called SetDllDirectory(DIR_OF_SUBSYSTEM_DLLs).


> Also, SetDllDirectory will kill all attempts to run 32-bit
> Cygwin programs from 64-bit Cygwin (and vice versa).

For programs in /bin directory, there is no problem because the EXE's 
directory is always searched first for required DLLs. SetDllDirectory() 
then has no effect for cyg*.dll search order.

For other programs it also works because Windows (at least 7) apparently 
skips 32-bit DLLs when searching for 64-bit ones (and vice versa). It is 
then required that PATH contains the other Cygwin's /bin directory.

Testcase for calling 64-bit from 32-bit:

exe in /bin:

   SetDllDirectory("c:\\cygwin\\bin");
   unsetenv("PATH");
   execl("/cygdrive/c/cygwin64/bin/uname", "uname", "-a", (const char*)0);

exe not in /bin:

   SetDllDirectory("c:\\cygwin\\bin");
   setenv("PATH", "/cygdrive/c/cygwin64/bin", 1);
   execl("/cygdrive/c/cygwin64/usr/sbin/alternatives", "alternatives", 
(const char*)0);

In both cases, the SetDllDirectory() call does not break anything.

Cheers,
Christian


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple