This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
Re: Problem with Station/Desktop permissions
Hi all,
Just to let you know that I fixed my desktop permissions problem on the application side by making sure that I do not add ACEs to an empty DACL.
Details
----
When doing a suid (CreateProcessAsUser) cygwin sets up a null Security Descriptor (SD) for Station and Desktop that opens up access to everyone. This descriptor has an empty Discretionaty Access Control List (DACL). Adding an Allowed Access Control Entry (ACE) to this DACL leads to the counter-intuitive result to restrict access to only that user, not even LocalSystem or Administrator can access the Station/Desktop. The system will break when this occurs on the non-interactive station/desktop: most of the services that use user32.dll (and it is difficult not to use it) won't be able to restart. The most visible symptoms are the nasty message boxes 'user32.dll could not initialize'. A system reboot is needed to revert to normal operation.
I do not know what the proper approach is here for future cygwin versions. Opening up access to everyone to the non-interactive station/desktop does not sound as a great ideea, however I do not know how one could exploit it. The same type of operation on the interactive desktop would be a lot more troublesome since a rogue program may be able to read passwords as you type them in.
If you have a cygwin based daemon it may be a good system design to run it on a different user, not as LocalSystem. In this case NT will generate a new station/desktop for the programs in that security context. Of course creating too many stations may crash NT by itself since they share some statically allocated memory zone.
Anyway, I hope the tip will be useful to other developers that need to coexist with cygwin.
Marius Seritan
----- Original Message -----
From: "Marius Seritan" <mseritan@jacent.com>
To: <lhall@rfk.com>; <cygwin@cygwin.com>
Sent: Tuesday, October 08, 2002 8:06 AM
Subject: Re: Problem with Station/Desktop permissions
> Larry and cygwin-list readers,
>
> In my own code I am using the fksec C++ library, http://www.mvps.org/win32/security/fksec.html. I am not sure if people are willing to link that library in cygwin. In the affirmative I can suggest a patch to the list that would add the appropriate ACEs to the Station and Desktop SDs, instead of replacing them with a null SD.
>
> Note that I am not an NT security expert, I can only contribute some code that is working for me.
>
> Marius
>
> ----- Original Message -----
> From: <lhall@pop.ma.ultranet.com>
> To: <mseritan@jacent.com>; <cygwin@cygwin.com>
> Sent: Tuesday, October 08, 2002 7:54 AM
> Subject: RE: Problem with Station/Desktop permissions
>
>
> Hi Marius,
>
> I don't believe there is any active work going on in the area that you
> mention. It seems to change and improve on an "as-needed" basis based
> on bug reports and the like. If you are interested in suggesting a
> patch, I'm sure the list would be interested in reviewing your ideas.
>
> Larry
>
> Original Message:
> -----------------
> From: Marius Seritan mseritan@jacent.com
> Date: Mon, 7 Oct 2002 14:32:47 -0700
> To: cygwin@cygwin.com
> Subject: Problem with Station/Desktop permissions
>
>
>
> <snip>
>
> From what I see from the sources, cygwin is also adjusting the permissions
> on the station\desktop. The approach taken in spawn.cc is a lot more
> radical though, the security descriptor is basically blown away. This seems
> to break my code.
>
> Has anybody else encountered this problem? Are there plans to move to a
> more nuanced approach when adjusting the permissions on the window
> stations/desktop?
>
> Thanks for any pointers/comments.
>
> Marius Seritan
> Engineering
> mseritan@jacent.com
>
>
> --------------------------------------------------------------------
> mail2web - Check your email from the web at
> http://mail2web.com/ .
>
>