[Patch]: Fixing the PROCESS_DUP_HANDLE security hole (part 1).
Pierre A. Humblet
pierre@phumblet.no-ip.org
Mon Dec 8 03:25:00 GMT 2003
At 05:40 PM 12/7/2003 -0500, Christopher Faylor wrote:
>On Mon, Sep 29, 2003 at 09:55:25PM -0400, Pierre A. Humblet wrote:
>>Here is a patch that allows to open master ttys without giving
>>full access to the process, at least for access to the ctty.
>>
>>It works by snooping the ctty pipe handles and duplicating them
>>on the cygheap, for use by future opens in descendant processes.
>>
>>It passes all the tests I tried, but considering my lack of knowledge
>>about ttys, everything is possible.
>
>I checked in a variation of this patch. It restructures the way
>controlling tty is handled, making it a little easier to deal with
>/dev/tty at the fhandler level. I suspect that eventually there will
>be a fhandler_ctty class but, for now, this seems to work.
>
>I'm not 100% certain that I got the close-on-exec stuff right but, fwiw,
>it seems to work with the combination of ssh/zsh which is usually a
>pretty tough test for this kind of thing. I did check to make sure that
>access to a tty is now not allowed from a non-privileged account thanks
>to the tty.cc change below.
>
>Thanks for the patch and sorry for the delay.
>
>cgf
It's mostly fine (rxvt and notty) but starting the following from DOS
creates a slew of warning from the handler protection code (below).
However the shell is functional.
tty reports /dev/tty, instead of /dev/ttyN with 1.5.5
@echo off
set CYGWIN=tty
C:
chdir \progra~1\cygwin\bin
bash --login -i
Pierre
Sorry, it's missing the top but that's all I can paste from the DOS
windows on ME.
328926 [main] BASH 50298593! mark_closed: attempt to close protected
handle voi
d sigproc_init():604(signal_arrived<0xE4>) winpid -50298593
339822 [main] BASH 50298593! mark_closed: by virtual int
fhandler_tty_common::
close():1151(ioctl_done_event<0xE4>)
361168 [main] BASH 50298593! mark_closed: closing protected handle int
spawn_gu
ts(const char*, const char* const*, const char* const*,
int):395(subproc_ready<0
xD4>)
363640 [main] BASH 50298593! mark_closed: by virtual int
fhandler_tty_common::
close():1159(output_mutex<0xD4>)
369935 [main] BASH 50298593! mark_closed: attempt to close protected
handle voi
d sigproc_init():604(signal_arrived<0xE4>) winpid -50298593
29407 [main] id 50298593 mark_closed: closing protected handle void
sigproc_in
it():604(signal_arrived<0xD8>)
34781 [main] id 50298593 mark_closed: by virtual int
fhandler_tty_common::clo
se():1157(input_mutex<0xD8>)
375411 [main] BASH 50298593! mark_closed: by virtual int
fhandler_tty_common::
close():1151(ioctl_done_event<0xE4>)
386473 [main] BASH 50298593! spawn_guts: wait failed: nwait 3, pid
50298593, wi
npid -50323745, Win32 error 6
400722 [main] BASH 50298593! spawn_guts: waitbuf[0] 0x158 0
400848 [main] BASH 50298593! spawn_guts: waitbuf[1] 0xE4 = 258
401379 [main] BASH 50298593! spawn_guts: waitbuf[w] 0xD4 = -1
.bash_profile
Have mailbox
567659 [main] BASH 85913! mark_closed: attempt to close protected handle
void s
igproc_init():604(signal_arrived<0xE4>) winpid -85913
578034 [main] BASH 85913! mark_closed: by virtual int
fhandler_tty_common::clo
se():1151(ioctl_done_event<0xE4>)
581260 [main] BASH 85913! mark_closed: closing protected handle int
spawn_guts(
const char*, const char* const*, const char* const*,
int):395(subproc_ready<0xD4
>)
9793 [main] dircolors 85913 mark_closed: closing protected handle void
sigpro
c_init():604(signal_arrived<0xD8>)
14530 [main] dircolors 85913 mark_closed: by virtual int
fhandler_tty_common:
:close():1157(input_mutex<0xD8>)
589175 [main] BASH 85913! mark_closed: by virtual int
fhandler_tty_common::clo
se():1159(output_mutex<0xD4>)
612646 [main] BASH 85913! mark_closed: attempt to close protected handle
void s
igproc_init():604(signal_arrived<0xE4>) winpid -85913
614399 [main] BASH 85913! mark_closed: by virtual int
fhandler_tty_common::clo
se():1151(ioctl_done_event<0xE4>)
614870 [main] BASH 85913! spawn_guts: wait failed: nwait 3, pid 85913,
winpid -
46434897, Win32 error 6
615685 [main] BASH 85913! spawn_guts: waitbuf[0] 0x158 0
616454 [main] BASH 85913! spawn_guts: waitbuf[1] 0xE4 = 258
616527 [main] BASH 85913! spawn_guts: waitbuf[w] 0xD4 = -1
~:
More information about the Cygwin-patches
mailing list