Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT cygwin DOT com>
List-Help: <mailto:cygwin-developers-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-developers AT cygwin DOT com
Message-ID: <3DCFF8AE.66CBD751@ieee.org>
Date: Mon, 11 Nov 2002 13:36:30 -0500
From: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
X-Accept-Language: en,pdf
MIME-Version: 1.0
To: cygwin-developers AT cygwin DOT com
Subject: Re: ntsec patch #4: passwd and group
References: <3DCBD52C DOT A1F794FD AT ieee DOT org> <20021108171918 DOT P21920 AT cygbert DOT vinschen DOT de> <3DCBEFF5 DOT 850B999E AT ieee DOT org> <20021111145612 DOT T10395 AT cygbert DOT vinschen DOT de> <3DCFC6BB DOT 570DF472 AT ieee DOT org> <20021111174720 DOT X10395 AT cygbert DOT vinschen DOT de> <3DCFE314 DOT 3B5B45AB AT ieee DOT org> <20021111183423 DOT A10395 AT cygbert DOT vinschen DOT de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Corinna Vinschen wrote:

> 
> But 2 is not an issue.  The appl. called getpwuid once and then the
> static buffer contains data.  That's it. 

At this point the application may do an open (), stat () or setuid (), 
intending to use the static buffer immediately after those calls
(a likely scenario with setuid () ?). However those calls may invalidate 
the pointers in the buffer.
I am not saying that this is a problem that needs immediate fixing,
only that it is an area of non-compliance. We may want to pay attention
to it when we revisit pw/gr to address the thread issues. 
 
> The *next* call copies
> other data into the static buffer.  Is there any sense to keep the
> static buffer in sync even though the application doesn't call
> the function again?  I don't think so.  It's even dangerous.
 
> I didn't get any email in October so I only saw your patch #4.
> I thought we would start from the beginning when I return from
> vacation.

I thought I had sent them in November, after you came back 
(after you sent the sshd update), but then you probably got a lot 
to do those days. Nothing has changed on my side, could you pick them 
up on the list? Thanks.

Pierre