This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: ntsec patch #4: passwd and group


Corinna Vinschen wrote:

> 
> But 2 is not an issue.  The appl. called getpwuid once and then the
> static buffer contains data.  That's it. 

At this point the application may do an open (), stat () or setuid (), 
intending to use the static buffer immediately after those calls
(a likely scenario with setuid () ?). However those calls may invalidate 
the pointers in the buffer.
I am not saying that this is a problem that needs immediate fixing,
only that it is an area of non-compliance. We may want to pay attention
to it when we revisit pw/gr to address the thread issues. 
 
> The *next* call copies
> other data into the static buffer.  Is there any sense to keep the
> static buffer in sync even though the application doesn't call
> the function again?  I don't think so.  It's even dangerous.
 
> I didn't get any email in October so I only saw your patch #4.
> I thought we would start from the beginning when I return from
> vacation.

I thought I had sent them in November, after you came back 
(after you sent the sshd update), but then you probably got a lot 
to do those days. Nothing has changed on my side, could you pick them 
up on the list? Thanks.

Pierre


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]