This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Fixing the PROCESS_DUP_HANDLE security hole.


At 09:24 PM 9/27/2003 -0400, Christopher Faylor wrote:
>On Sat, Sep 27, 2003 at 07:13:07PM -0400, Pierre A. Humblet wrote:
>>There is an accurate comment: /* Allow the others to open us (for handle
duplication) */
>>The proposed patch is avoiding the need for that.
>> 
>>>>b) proc_subproc:
>>>>      if (!DuplicateHandle (hMainProc, hMainProc, vchild->hProcess,
&vchild->ppid_handle,
>>>>		0, TRUE, DUPLICATE_SAME_ACCESS)
>>>>should be changed to give no access rights to the duplicated handle.
>>>>This will still allow to check if the parent is alive, but not to
signal it nor
>>>>to reparent.
>>>
>>>Have you verified this on all platforms?  I don't think you can assume
>>>that ppid_handle will work correctly in a Wait* function if it is
duplicated
>>>with no special access.  
>>
>>Absolutely correct, SYNCHRONIZE is needed.
>
>Somehow I seem to remember that didn't work (even though I can't imagine
>why) but I wasn't clever enough to document why.  I guess it can't hurt
>to try it, advertise a snapshot, and ask for feedback.

Hmm, not sure we talk about the same thing.
The current code needs to duplicate with SYNCHRONIZE | PROCESS_DUP_HANDLE ,
in fact that's how I have been running it for the past few days.
It won't run with SYNCHRONIZE alone. The goal is to make it do so, after 
completion of your signal code rework and changes to the way reparenting
is done. In my mind, reparenting would use the signal pipe.  

Pierre


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]