Request for help debugging screen problem
Shaddy Baddah
helium@shaddybaddah.name
Fri Feb 5 16:24:00 GMT 2010
Hi,
On 5/02/2010 3:46 PM, Corinna Vinschen wrote:
> On Feb 5 10:32, Christopher Faylor wrote:
>> On Fri, Feb 05, 2010 at 04:28:26PM +0100, Corinna Vinschen wrote:
>>> How exactly was the default mechanism supposed to be a security hole?
>>> IIRC the idea was that the inferior process has PROCESS_DUP_HANDLE
>>> permission on the tty master process. That's by definition not a
>>> security problem if the inferior process is running in the same user
>>> context as the tty master process anyway. So we just have to look at
>>> the case of the inferior running in another user context:
>>>
>>> - If the inferior process user is an admin user, there's also no
>>> security problem, because the admin user has by design other ways to
>>> exploit the tty master process.
>>>
>>> - If the inferior process is running under a non-privileged account,
>>> then the security settings of the tty master process handles are
>>> marking the border. If the security settings are correct, nothing bad
>>> should happen. If the security settings are bad, it's a bug in Cygwin
>>> and should be fixed there.
>>>
>>> Am I missing something? If not, I don't see a reason to keep the
>>> cygserver way of creating inferior process pty handles.
>>>
>>> If we really want to make this more secure, there's very likely another
>>> simple method to get the pipe handles without having to open the tty
>>> master process with PROCESS_DUP_HANDLE access. For instance, what if we
>>> create pty pipes with the ability to take unlimited connections
>>> (PIPE_UNLIMITED_INSTANCES), and then open the pty pipes by name?
>>
>> I think that the tty stuff was added at my suggestion. For a while I
>> thought that having a dedicated cygwin server would be a good idea. It
>> could be used to mediate the allocation of ttys (and even fifos now
>> that I think of it). I think the security hole is due to the shared
>> memory region where the ttys are tracked but I think we've probably
>> come a long way since the tty cygserver stuff was implemented.
>>
>> So I vote to rip this out of cygwin. I'll do that this weekend (I'll
>> have a lot of time on my hands) if you agree.
>
> In theory, yes, I would be glad. But please let's wait until we have
> figured out this pty problem first.
>
> Do you think opening the pty by name and unlimited instances for pty
> pipes would be a feasible approach? Obviously the OpenProcess is
> making some problems starting with Vista.
Do you think it is something to do with this (from
http://msdn.microsoft.com/en-us/library/ms684320%28VS.85%29.aspx):
Remarks
To open a handle to another local process and obtain full access rights,
you must enable the SeDebugPrivilege privilege. For more information,
see Changing Privileges in a Token.
Would this be in the user token? How can I list which privileges are
contained in the token for the mintty session and the ssh session?
Sorry, I'm scrambling here to understand this issue.
Regards,
Shaddy
>
>
> Corinna
>
More information about the Cygwin-developers
mailing list