Mailing-List: contact cygwin-apps-help AT sourceware DOT cygnus DOT com; run by ezmlm
Sender: cygwin-apps-owner AT sourceware DOT cygnus DOT com
List-Subscribe: <mailto:cygwin-apps-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-apps/>
List-Post: <mailto:cygwin-apps AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-apps-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/lists.html#faqs>
Delivered-To: mailing list cygwin-apps AT sources DOT redhat DOT com
Date: Sun, 29 Apr 2001 22:05:51 +0200
From: Corinna Vinschen <cygwin-apps AT cygwin DOT com>
To: cygwin-apps AT cygwin DOT com
Subject: Re: permissions for auth socket in cygwin port of openssh
Message-ID: <20010429220551.D22095@cygbert.vinschen.de>
Mail-Followup-To: cygwin-apps AT cygwin DOT com
References: <7734862689 DOT 20010428210439 AT logos-m DOT ru> <20010429215734 DOT C22095 AT cygbert DOT vinschen DOT de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010429215734.C22095@cygbert.vinschen.de>; from cygwin-apps@cygwin.com on Sun, Apr 29, 2001 at 09:57:34PM +0200

On Sun, Apr 29, 2001 at 09:57:34PM +0200, Corinna Vinschen wrote:
> On Sat, Apr 28, 2001 at 09:04:39PM +0400, egor duda wrote:
> > Hi!
> > 
> >   ssh-agent creates temp directory under /tmp with '600' permissions,
> > and actual socket file is created under it using default umask. under
> > unix, it's not a problem since nobody can read socket file if he have
> > no scan rights to the directory. But under win32 there exists a
> > separate privilege named "Bypass traverse checking", granted to
> > everybody by default, which allow reading file even if user have no
> > rights on directory. with my changes to AF_UNIX socket code, socket
> > security is provided by inability of unauthorized parties to read
> > socket file contents, but with "Bypass traverse checking" privilege,
> > they _can_ read it. attached patch is supposed to fix this.
> > 
> > 2001-04-28  Egor Duda  <deo AT logos-m DOT ru>
> > 
> >         * ssh-agent.c (main): On cygwin create auth socket with mode 600
> > 
> > egor.            mailto:deo AT logos-m DOT ru icq 5165414 fidonet 2:5020/496.19
> 
> Thanks Egor,
> 
> I will send the patch to the ssh mailing list, relative to the current
> in the CVS repository.

Oh, wait, is there a reason to not implement that by simply calling
chmod?

Index: ssh-agent.c
===================================================================
RCS file: /cvs/openssh_cvs/ssh-agent.c,v
retrieving revision 1.54
diff -u -p -r1.54 ssh-agent.c
--- ssh-agent.c	2001/04/04 01:53:21	1.54
+++ ssh-agent.c	2001/04/29 20:05:19
@@ -809,6 +809,9 @@ main(int ac, char **av)
 		perror("bind");
 		cleanup_exit(1);
 	}
+#ifdef HAVE_CYGWIN
+	chmod(socket_name, S_IRUSR | S_IWUSR);
+#endif
 	if (listen(sock, 5) < 0) {
 		perror("listen");
 		cleanup_exit(1);

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.