Request for help debugging screen problem

Christopher Faylor cgf-use-the-mailinglist-please@cygwin.com
Fri Feb 5 15:32:00 GMT 2010


On Fri, Feb 05, 2010 at 04:28:26PM +0100, Corinna Vinschen wrote:
>On Feb  5 10:00, Christopher Faylor wrote:
>> Ah, right.  So, I have never debugged the tty handling in cygserver.  Is
>
>Same here.
>
>> this the root cause of some of the screen error reports?
>
>I can't tell about the screen problem, but I'm wondering for a while if
>the tty handle stuff in Cygserver is really required, or if we should
>drop this code.
>
>How exactly was the default mechanism supposed to be a security hole?
>IIRC the idea was that the inferior process has PROCESS_DUP_HANDLE
>permission on the tty master process.  That's by definition not a
>security problem if the inferior process is running in the same user
>context as the tty master process anyway.  So we just have to look at
>the case of the inferior running in another user context:
>
>- If the inferior process user is an admin user, there's also no
>  security problem, because the admin user has by design other ways to
>  exploit the tty master process.
>
>- If the inferior process is running under a non-privileged account,
>  then the security settings of the tty master process handles are
>  marking the border.  If the security settings are correct, nothing bad
>  should happen.  If the security settings are bad, it's a bug in Cygwin
>  and should be fixed there.
>
>Am I missing something?  If not, I don't see a reason to keep the
>cygserver way of creating inferior process pty handles.
>
>If we really want to make this more secure, there's very likely another
>simple method to get the pipe handles without having to open the tty
>master process with PROCESS_DUP_HANDLE access.  For instance, what if we
>create pty pipes with the ability to take unlimited connections
>(PIPE_UNLIMITED_INSTANCES), and then open the pty pipes by name?

I think that the tty stuff was added at my suggestion.  For a while I
thought that having a dedicated cygwin server would be a good idea.  It
could be used to mediate the allocation of ttys (and even fifos now
that I think of it).  I think the security hole is due to the shared
memory region where the ttys are tracked but I think we've probably
come a long way since the tty cygserver stuff was implemented.

So I vote to rip this out of cygwin.  I'll do that this weekend (I'll
have a lot of time on my hands) if you agree.

cgf



More information about the Cygwin-developers mailing list