Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com
Message-ID: <39760766.7DCBF763@cygnus.com>
Date: Wed, 19 Jul 2000 21:54:14 +0200
From: Corinna Vinschen <vinschen AT cygnus DOT com>
Reply-To: cygdev <cygwin-developers AT sources DOT redhat DOT com>
X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.14-SMP i686)
X-Accept-Language: de, en
MIME-Version: 1.0
To: cygwin-developers AT sources DOT redhat DOT com
Subject: Re: login-1.3 can't work on the recent snapshots.
References: <s1su2e4mz1d DOT fsf AT jaist DOT ac DOT jp> <s1s7lai5b7i DOT fsf AT jaist DOT ac DOT jp> <20000719141458 DOT D17938 AT cygnus DOT com> <3975FB88 DOT 5A96123E AT cygnus DOT com> <20000719150450 DOT C18820 AT cygnus DOT com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Chris Faylor wrote:
> 
> On Wed, Jul 19, 2000 at 09:03:36PM +0200, Corinna Vinschen wrote:
> >Chris Faylor wrote:
> >>
> >> On Thu, Jul 20, 2000 at 01:36:17AM +0900, Kazuhiro Fujieda wrote:
> >> >>>> On 05 Jul 2000 23:28:46 +0900
> >> >>>> Kazuhiro Fujieda <fujieda AT jaist DOT ac DOT jp> said:
> >> >
> >> >> The login-1.3 of the net release seem not to work with the
> >> >> recent snapshots. I tested it with inetutils-1.3.2-4 under
> >> >> WinNT4 Sp6a and the latest snapshot.
> >> >>
> >> >> When I connected with in.telnetd, I was able to find the
> >> >> following message. But I couldn't start the remote session,
> >> >> because bash.exe spawned by login.exe was choked by the system
> >> >> error of "The application failed to initialize properly (0xc0000022).".
> >> >
> >> >I managed to find the cause of this problem.
> >> >
> >> >spawn_guts can modify values referred by `child', even though
> >> >there is a case where `child' == `myself'.
> >>
> >> Is this when spawn_guts is called to 'exec[lv]p?()' something?
> >
> >I don't understand then, why my impersonation stuff works at all.
> >All typical applications using that technique are using exec(),
> >not spawn().
> >
> >login-1.3 is still using `sexec..()' of course.
> 
> I'm not sure why it is a problem even for when child == myself,
> actually.

The below code could produce that (from spawn_guts):

==== SNIP ====
      /* Remove impersonation */
      uid_t uid = geteuid();
      if (myself->impersonated && myself->token != INVALID_HANDLE_VALUE)
        seteuid (myself->orig_uid);

      /* Set child->uid to USHRT_MAX to force calling
internal_getlogin()
         from child process. Set psid to NULL to play it safe. */
      child->uid = USHRT_MAX;
      child->psid = NULL;

      rc = CreateProcessAsUser (...);

      /* Restore impersonation */
      if (myself->impersonated && myself->token != INVALID_HANDLE_VALUE)
        seteuid (uid);
==== SNAP ====

Assuming that myself==child, the last part (restoring the impersonation)
would be able to influence the child. The child would get a uid which
is the wrong one and additionally forbids calling internal_getlogin.
Hmm.

Corinna

-- 
Corinna Vinschen
Cygwin Developer
Cygnus Solutions, a Red Hat company