This is the mail archive of the cygwin-patches@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Fixing the delete queue security

From: "Pierre A. Humblet" <pierre at phumblet dot no-ip dot org>
To: cygwin-patches at cygwin dot com
Date: Mon, 15 Sep 2003 21:18:08 -0400
Subject: Fixing the delete queue security

Cygwin uses a "delete queue" in a shared file mapping to hold
the names of files that could not be deleted on unlink, usually
because they were still opened. The queue is scanned by all
processes so that the files eventually get deleted after they 
are closed.

Because Everyone has write access to the file mapping, any user
can add names to the delete queue, and thus any user can trick
other processes into deleting any and all files on a PC where a cygwin 
daemon is running as SYSTEM.

The solution is simple: create per user delete queues. They are
placed in the same mapping as the mount table. So the change
is extremely straightforward. The length of the change log comes
from renaming many variable to have names reflect functions.

There will be a follow up patch with the following cleanup:
remove now unneeded fields from the mount_info and shared_info and 
run the "magic" on the new/modified structures.

Pierre


2003-09-15  Pierre Humblet <pierre.humblet@ieee.org>

	* shared_info.h (class user_info): New.
	(cygwin_user_h): New.
	(user_shared): New.
	(enum shared_locations): Replace SH_MOUNT_TABLE by SH_USER_SHARED;
	(mount_table): Change from variable to macro.
	* shared.cc: Use sizeof(user_info) in "offsets".
	(user_shared_initialize): Add "reinit" argument to indicate need
	to reinitialize the mapping. Replace "mount_table" by "user_shared"
	throughout. Call user_shared->mountinfo.init and 
	user_shared->delqueue.init.
	(shared_info::initialize): Do not call delqueue.init.
	(memory_init): Add argument to user_shared_initialize.
	* child_info.h (child_info::mount_h): Delete. 
	(child_info::user_h): New.	
	* sigpproc.cc (init_child_info): Use user_h instead of mount_h.
	* dcrt0.cc (_dll_crt0): Ditto.
	* fhandler_disk_file.cc (fhandler_disk_file::close): Use 
	user_shared->delqueue instead of cygwin_shared->delqueue.
	* fhandler_virtual.cc (fhandler_virtual::close): Ditto.
	* syscalls.cc (close_all_files): Ditto.
	(unlink): Ditto.
	(seteuid32): Add argument to user_shared_initialize.

Attachment: delqueue.diff
Description: Text document

Follow-Ups:
- RE: Fixing the delete queue security
  - From: Gary R. Van Sickle
- Re: Fixing the delete queue security
  - From: Christopher Faylor

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]