This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Fixing a security hole in pinfo.

Each Cygwin process publishes information about itself 
(e.g. pid, ppid, uid, gid, ...) in a _pinfo file mapping. 

Currently Everyone has write access to the _pinfo file mapping.
Thus Everyone can change a process uid and gid.
By changing its uid and gid, one can trick a daemon into 
logging in a user with a SYSTEM access token.
I have not examined the security risk involved in being able to 
change the other members of _pinfo.

As for the mount file mapping, a safe solution relies on protecting
the mapping with appropriate security attributes. 
Everyone should have Read access while RW access should only be
given to the current user, Administrators and System.
Processes that only need to read information will open the _pinfo
mapping in read only mode.

It will take several incremental patches to reach this goal.

This patch accomplishes a first step: pinfo::init will open a
_pinfo mapping in RW mode only if it would create the mapping
or if the new flag PID_MAP_RW is set.
The flag PID_MAP_RW is added in the few pinfo constructors
that need to be write into _pinfo if it exists. 
I hope not to have forgotten any.

2003-09-11  Pierre Humblet <>

	* include/sys/cygwin.h: Rename PID_UNUSED to PID_MAP_RW.
	* (pinfo_init): Initialize myself->gid.
	(pinfo::init): Create the "access" variable, set it appropriately
	and use it to specify the requested access.
	* (sig_handle_tty_stop): Add PID_MAP_RW in pinfo parent.
	* (kill_worker): Ditto for pinfo dest.
	* (setpgid): Ditto for pinfo p.


Attachment: pinfo.diff
Description: Text document

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]