Mailing-List: contact cygwin-apps-help AT sourceware DOT cygnus DOT com; run by ezmlm Sender: cygwin-apps-owner AT sourceware DOT cygnus DOT com List-Subscribe: List-Archive: List-Post: List-Help: , Delivered-To: mailing list cygwin-apps AT sources DOT redhat DOT com Date: Sat, 28 Apr 2001 21:04:39 +0400 From: egor duda X-Mailer: The Bat! (v1.45) Personal Reply-To: egor duda Organization: deo X-Priority: 3 (Normal) Message-ID: <7734862689.20010428210439@logos-m.ru> To: cygwin-apps AT cygwin DOT com Subject: permissions for auth socket in cygwin port of openssh Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----------F51E01B93D228E38" ------------F51E01B93D228E38 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi! ssh-agent creates temp directory under /tmp with '600' permissions, and actual socket file is created under it using default umask. under unix, it's not a problem since nobody can read socket file if he have no scan rights to the directory. But under win32 there exists a separate privilege named "Bypass traverse checking", granted to everybody by default, which allow reading file even if user have no rights on directory. with my changes to AF_UNIX socket code, socket security is provided by inability of unauthorized parties to read socket file contents, but with "Bypass traverse checking" privilege, they _can_ read it. attached patch is supposed to fix this. 2001-04-28 Egor Duda * ssh-agent.c (main): On cygwin create auth socket with mode 600 egor. mailto:deo AT logos-m DOT ru icq 5165414 fidonet 2:5020/496.19 ------------F51E01B93D228E38 Content-Type: application/octet-stream; name="openssh-cygwin-socket-permissions.ChangeLog" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="openssh-cygwin-socket-permissions.ChangeLog" MjAwMS0wNC0yOCAgRWdvciBEdWRhICA8ZGVvQGxvZ29zLW0ucnU+CgoJKiBzc2gtYWdlbnQuYyAo bWFpbik6IE9uIGN5Z3dpbiBjcmVhdGUgYXV0aCBzb2NrZXQgd2l0aCBtb2RlIDYwMAo= ------------F51E01B93D228E38 Content-Type: application/octet-stream; name="openssh-cygwin-socket-permissions.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="openssh-cygwin-socket-permissions.diff" ZGlmZiAtdXAyIG9wZW5zc2gtMi41LjJwMi9zc2gtYWdlbnQuYyBvcGVuc3NoLTIuNS4ycDIuZGVv L3NzaC1hZ2VudC5jCi0tLSBvcGVuc3NoLTIuNS4ycDIvc3NoLWFnZW50LmMJTW9uIE1hciAxOSAw MTozODoxNiAyMDAxCisrKyBvcGVuc3NoLTIuNS4ycDIuZGVvL3NzaC1hZ2VudC5jCVNhdCBBcHIg MjggMjA6NTE6MTcgMjAwMQpAQCAtNzI5LDUgKzcyOSw1IEBAIGludAogbWFpbihpbnQgYWMsIGNo YXIgKiphdikKIHsKLQlpbnQgc29jaywgY19mbGFnID0gMCwga19mbGFnID0gMCwgc19mbGFnID0g MCwgY2g7CisJaW50IHNvY2ssIGNfZmxhZyA9IDAsIGtfZmxhZyA9IDAsIHNfZmxhZyA9IDAsIGNo LCBwcmV2X21hc2s7CiAJc3RydWN0IHNvY2thZGRyX3VuIHN1bmFkZHI7CiAjaWZkZWYgSEFWRV9T RVRSTElNSVQKQEAgLTgyMCw0ICs4MjAsNyBAQCBtYWluKGludCBhYywgY2hhciAqKmF2KQogCQlj bGVhbnVwX2V4aXQoMSk7CiAJfQorI2lmZGVmIEhBVkVfQ1lHV0lOCisJcHJldl9tYXNrID0gdW1h c2soMDE3Nyk7CisjZW5kaWYKIAltZW1zZXQoJnN1bmFkZHIsIDAsIHNpemVvZihzdW5hZGRyKSk7 CiAJc3VuYWRkci5zdW5fZmFtaWx5ID0gQUZfVU5JWDsKQEAgLTgyNyw0ICs4MzAsNyBAQCBtYWlu KGludCBhYywgY2hhciAqKmF2KQogCQljbGVhbnVwX2V4aXQoMSk7CiAJfQorI2lmZGVmIEhBVkVf Q1lHV0lOCisJdW1hc2socHJldl9tYXNrKTsKKyNlbmRpZgogCWlmIChsaXN0ZW4oc29jaywgNSkg PCAwKSB7CiAJCXBlcnJvcigibGlzdGVuIik7Cg== ------------F51E01B93D228E38--