Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com
Message-ID: <010f01c100a4$9395f740$806410ac@local>
From: "Robert Collins" <robert DOT collins AT itdomain DOT com DOT au>
To: <cygwin-developers AT cygwin DOT com>
Subject: more security
Date: Sat, 30 Jun 2001 00:05:37 +1000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
X-OriginalArrivalTime: 29 Jun 2001 13:53:16.0242 (UTC) FILETIME=[D8A41B20:01C100A2]

I just thought of a potential security hole - more stuff for the daemon. I'm
mailing for archive, not to request or offer a fix. I also haven't checked
the code due to being about to go to sleep...

The delete-on-close queue has no way of verifying that the poster of an item
there has the right to delete the file.

sample exploit in theory: user program in sshd adds system critical files to
the delete-on-close queue, without ever trying to open the files.

Admin comes along and runs cygwin process that access said files (say just
checking for #! even, and they get rm'd on close.

Rob