Request for help debugging screen problem

Shaddy Baddah helium@shaddybaddah.name
Fri Feb 5 16:24:00 GMT 2010 

Hi,

On 5/02/2010 3:46 PM, Corinna Vinschen wrote:
> On Feb  5 10:32, Christopher Faylor wrote:
>> On Fri, Feb 05, 2010 at 04:28:26PM +0100, Corinna Vinschen wrote:
>>> How exactly was the default mechanism supposed to be a security hole?
>>> IIRC the idea was that the inferior process has PROCESS_DUP_HANDLE
>>> permission on the tty master process.  That's by definition not a
>>> security problem if the inferior process is running in the same user
>>> context as the tty master process anyway.  So we just have to look at
>>> the case of the inferior running in another user context:
>>>
>>> - If the inferior process user is an admin user, there's also no
>>>   security problem, because the admin user has by design other ways to
>>>   exploit the tty master process.
>>>
>>> - If the inferior process is running under a non-privileged account,
>>>   then the security settings of the tty master process handles are
>>>   marking the border.  If the security settings are correct, nothing bad
>>>   should happen.  If the security settings are bad, it's a bug in Cygwin
>>>   and should be fixed there.
>>>
>>> Am I missing something?  If not, I don't see a reason to keep the
>>> cygserver way of creating inferior process pty handles.
>>>
>>> If we really want to make this more secure, there's very likely another
>>> simple method to get the pipe handles without having to open the tty
>>> master process with PROCESS_DUP_HANDLE access.  For instance, what if we
>>> create pty pipes with the ability to take unlimited connections
>>> (PIPE_UNLIMITED_INSTANCES), and then open the pty pipes by name?
>>
>> I think that the tty stuff was added at my suggestion.  For a while I
>> thought that having a dedicated cygwin server would be a good idea.  It
>> could be used to mediate the allocation of ttys (and even fifos now
>> that I think of it).  I think the security hole is due to the shared
>> memory region where the ttys are tracked but I think we've probably
>> come a long way since the tty cygserver stuff was implemented.
>>
>> So I vote to rip this out of cygwin.  I'll do that this weekend (I'll
>> have a lot of time on my hands) if you agree.
>
> In theory, yes, I would be glad.  But please let's wait until we have
> figured out this pty problem first.
>
> Do you think opening the pty by name and unlimited instances for pty
> pipes would be a feasible approach?  Obviously the OpenProcess is
> making some problems starting with Vista.

Do you think it is something to do with this (from 
http://msdn.microsoft.com/en-us/library/ms684320%28VS.85%29.aspx):

Remarks

To open a handle to another local process and obtain full access rights, 
you must enable the SeDebugPrivilege privilege. For more information, 
see Changing Privileges in a Token.

Would this be in the user token? How can I list which privileges are 
contained in the token for the mintty session and the ssh session?

Sorry, I'm scrambling here to understand this issue.

Regards,
Shaddy


>
>
> Corinna
>

More information about the Cygwin-developers mailing list