Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com
Message-ID: <00a401c0c7f0$02bb1f30$0200a8c0@lifelesswks>
From: "Robert Collins" <robert DOT collins AT itdomain DOT com DOT au>
To: "Corinna Vinschen" <cygwin-developers AT cygwin DOT com>
References: <EA18B9FA0FE4194AA2B4CDB91F73C0EF79C2 AT itdomain002 DOT itdomain DOT net DOT au> <20010418120530 DOT Q15962 AT cygbert DOT vinschen DOT de>
Subject: Re: handle protection - please comment
Date: Wed, 18 Apr 2001 20:11:53 +1000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-OriginalArrivalTime: 18 Apr 2001 10:04:34.0959 (UTC) FILETIME=[F86079F0:01C0C7EE]

----- Original Message -----
From: "Corinna Vinschen" <vinschen AT redhat DOT com>
To: <cygwin-developers AT cygwin DOT com>
Sent: Wednesday, April 18, 2001 8:05 PM
Subject: Re: handle protection - please comment


> On Wed, Apr 18, 2001 at 10:54:06AM +1000, Robert Collins wrote:
> > This is just a follow up to Egor's proposed server for handle
control.
> >

> > On NT/2K, it should give exactly the desired permissions, no more,
no
> > less.
>
> For that purpose there are two functions declared in security.h:
>
> PSECURITY_ATTRIBUTES sec_user (PVOID sa_buf, PSID sid2 = NULL, BOOL
inherit = TRUE);
> PSECURITY_ATTRIBUTES sec_user_nih (PVOID sa_buf, PSID sid2 = NULL);
>
> For the usage have a look into sigproc.cc, function `getsem' or
> fork.cc, function `fork_parent'.
>
> Corinna

The problem with them is that they don't provide any granularity. Using
alloc_sd, we can specify the access appropriately for each object. I.E.
shmget takes a flags parameter that includes a file mode (ie 0666). How
do we get an NT security descriptor for 0666 to pass to
CreateFileMapping for instance?

The thing egor as talking about was child process's needing to read the
parents open handles, and that programs than setuid are apparently
setting the perms to everyone, all to allow the child process with it's
different uid to read the handles. He was proposing a server model,
which I don't like because
a) it adds complexity and overhead
b) I don't believe _we_ should be doing the access checking, we should
be passing that back to NT to do.

Rob