Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 14 Feb 2002 10:13:29 +0100
From: Corinna Vinschen <cygwin AT cygwin DOT com>
To: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
Cc: cygwin <cygwin AT cygwin DOT com>
Subject: Re: More security issues
Message-ID: <20020214101329.O23094@cygbert.vinschen.de>
Mail-Followup-To: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>,
	cygwin <cygwin AT cygwin DOT com>
References: <3 DOT 0 DOT 5 DOT 32 DOT 20020210143455 DOT 007f2100 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20020210143455 DOT 007f2100 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20020213155051 DOT 007cce50 AT pop DOT ne DOT mediaone DOT net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3.0.5.32.20020213155051.007cce50@pop.ne.mediaone.net>
User-Agent: Mutt/1.3.22.1i

On Wed, Feb 13, 2002 at 03:50:51PM -0500, Pierre A. Humblet wrote:
> Corinna,
> 
> please forget my previous message for now.

No problem (I'm very busy currently).  Just a side note I forgot
in my previous posting.  The sec_user() call in CreateProcess()
was never intended to set the default DACL (I didn't even know
that something like that exists when I added that) but to set the
permissions to access the process.  If you're running processes
under different user accounts you can't kill processes of other
accounts if the SA is sec_all_nih.  This is unfortunately also true
for admins.  Even worse, admins can't stop processes running under
SYSTEM account (services).  Therefore, when using ntsec, the sec_user()
call should set an SD with explicit permissions for the process which
always should allow access for

  - the user
  - admin
  - system

and, if the process is started from a different user account under
setuid() conditions,

  - the original user of the starting process

When I implemented this, the fork/exec implementation was pretty
different from today.  As far as I rememeber, the code which copied
data from one process to the other needed access under the 2nd SID.
This could qualify for some code which could be pretty useless
today.  E.g. your observation that RevertToSelf() could be dropped,
probably.

Just if that's not clear, I'm really appreciating that you're
trying to get to the bottom of that code.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/