This is the mail archive of the
cygwin-patches@cygwin.com
mailing list for the Cygwin project.
RE: Fixing the delete queue security
- From: "Gary R. Van Sickle" <g dot r dot vansickle at worldnet dot att dot net>
- To: <cygwin-patches at cygwin dot com>
- Date: Mon, 15 Sep 2003 20:34:45 -0500
- Subject: RE: Fixing the delete queue security
You are a *God*, Pierre. ;-)
--
Gary R. Van Sickle
Brewer. Patriot.
> Cygwin uses a "delete queue" in a shared file mapping to hold
> the names of files that could not be deleted on unlink, usually
> because they were still opened. The queue is scanned by all
> processes so that the files eventually get deleted after they
> are closed.
>
> Because Everyone has write access to the file mapping, any user
> can add names to the delete queue, and thus any user can trick
> other processes into deleting any and all files on a PC where a cygwin
> daemon is running as SYSTEM.
>
> The solution is simple: create per user delete queues. They are
> placed in the same mapping as the mount table. So the change
> is extremely straightforward. The length of the change log comes
> from renaming many variable to have names reflect functions.
>
> There will be a follow up patch with the following cleanup:
> remove now unneeded fields from the mount_info and shared_info and
> run the "magic" on the new/modified structures.
>
> Pierre
>
>
> 2003-09-15 Pierre Humblet <pierre.humblet@ieee.org>
>
> * shared_info.h (class user_info): New.
> (cygwin_user_h): New.
> (user_shared): New.
> (enum shared_locations): Replace SH_MOUNT_TABLE by SH_USER_SHARED;
> (mount_table): Change from variable to macro.
> * shared.cc: Use sizeof(user_info) in "offsets".
> (user_shared_initialize): Add "reinit" argument to indicate need
> to reinitialize the mapping. Replace "mount_table" by "user_shared"
> throughout. Call user_shared->mountinfo.init and
> user_shared->delqueue.init.
> (shared_info::initialize): Do not call delqueue.init.
> (memory_init): Add argument to user_shared_initialize.
> * child_info.h (child_info::mount_h): Delete.
> (child_info::user_h): New.
> * sigpproc.cc (init_child_info): Use user_h instead of mount_h.
> * dcrt0.cc (_dll_crt0): Ditto.
> * fhandler_disk_file.cc (fhandler_disk_file::close): Use
> user_shared->delqueue instead of cygwin_shared->delqueue.
> * fhandler_virtual.cc (fhandler_virtual::close): Ditto.
> * syscalls.cc (close_all_files): Ditto.
> (unlink): Ditto.
> (seteuid32): Add argument to user_shared_initialize.
>