This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

more security

To: <cygwin-developers at cygwin dot com>
Subject: more security
From: "Robert Collins" <robert dot collins at itdomain dot com dot au>
Date: Sat, 30 Jun 2001 00:05:37 +1000

I just thought of a potential security hole - more stuff for the daemon. I'm
mailing for archive, not to request or offer a fix. I also haven't checked
the code due to being about to go to sleep...

The delete-on-close queue has no way of verifying that the poster of an item
there has the right to delete the file.

sample exploit in theory: user program in sshd adds system critical files to
the delete-on-close queue, without ever trying to open the files.

Admin comes along and runs cygwin process that access said files (say just
checking for #! even, and they get rm'd on close.

Rob

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]