Fixing the PROCESS_DUP_HANDLE security hole.
Pierre A. Humblet
Pierre.Humblet@ieee.org
Sun Sep 28 01:58:00 GMT 2003
At 09:24 PM 9/27/2003 -0400, Christopher Faylor wrote:
>On Sat, Sep 27, 2003 at 07:13:07PM -0400, Pierre A. Humblet wrote:
>>There is an accurate comment: /* Allow the others to open us (for handle
duplication) */
>>The proposed patch is avoiding the need for that.
>>
>>>>b) proc_subproc:
>>>> if (!DuplicateHandle (hMainProc, hMainProc, vchild->hProcess,
&vchild->ppid_handle,
>>>> 0, TRUE, DUPLICATE_SAME_ACCESS)
>>>>should be changed to give no access rights to the duplicated handle.
>>>>This will still allow to check if the parent is alive, but not to
signal it nor
>>>>to reparent.
>>>
>>>Have you verified this on all platforms? I don't think you can assume
>>>that ppid_handle will work correctly in a Wait* function if it is
duplicated
>>>with no special access.
>>
>>Absolutely correct, SYNCHRONIZE is needed.
>
>Somehow I seem to remember that didn't work (even though I can't imagine
>why) but I wasn't clever enough to document why. I guess it can't hurt
>to try it, advertise a snapshot, and ask for feedback.
Hmm, not sure we talk about the same thing.
The current code needs to duplicate with SYNCHRONIZE | PROCESS_DUP_HANDLE ,
in fact that's how I have been running it for the past few days.
It won't run with SYNCHRONIZE alone. The goal is to make it do so, after
completion of your signal code rework and changes to the way reparenting
is done. In my mind, reparenting would use the signal pipe.
Pierre
More information about the Cygwin-developers
mailing list