Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-developers-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin-developers AT sources DOT redhat DOT com
Date: Tue, 4 Sep 2001 10:40:00 +0200
From: Corinna Vinschen <vinschen AT redhat DOT com>
To: cygwin-developers AT cygwin DOT com
Subject: Re: CYGWIN SERVER: Some questions
Message-ID: <20010904104000.A7039@cygbert.vinschen.de>
Reply-To: cygdev <cygwin-developers AT cygwin DOT com>
Mail-Followup-To: cygwin-developers AT cygwin DOT com
References: <20010903140332 DOT C23714 AT cygbert DOT vinschen DOT de> <20010903105746 DOT B2024 AT redhat DOT com> <20010903174251 DOT E30211 AT cygbert DOT vinschen DOT de> <20010903155526 DOT B2523 AT redhat DOT com> <20010903235116 DOT A2421 AT cygbert DOT vinschen DOT de> <20010903205357 DOT B3480 AT redhat DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010903205357.B3480@redhat.com>; from cgf@redhat.com on Mon, Sep 03, 2001 at 08:53:57PM -0400

On Mon, Sep 03, 2001 at 08:53:57PM -0400, Christopher Faylor wrote:
> On Mon, Sep 03, 2001 at 11:51:16PM +0200, Corinna Vinschen wrote:
> >On Mon, Sep 03, 2001 at 03:55:26PM -0400, Christopher Faylor wrote:
> >> On Mon, Sep 03, 2001 at 05:42:51PM +0200, Corinna Vinschen wrote:
> >> >> How about mailboxes as the communication mechanism?  They share many
> >> >> of the characteristics of named pipes, I believe but *I think* they
> >> >> work on Windows 95.
> >> >
> >> >I'm not quite sure about the seriousness of this mail but if you
> >> >refer to mailslots... they are just a one-way mechanism to push
> >> >some data to another process. No real `communication' at all.
> >> 
> >> Oops.  Yes, I meant mail slots.  They are one directional, but so are
> >> pipes.  You just open one mail slot for each direction.  Or, you use it
> >> to synchronize a shared memory region.
> >
> >Named pipes under NT can be bidirectional by giving the
> >PIPE_ACCESS_DUPLEX flag in call to CreateNamedPipe().
> 
> But we can't use named pipes.

We can use them on NT only and use another TL on 9x/ME if we
actually implement different TLs.  I don't think that makes sense
in the beginning, though.  I would prefer a single mechanism
which works for all systems and which has the additional security
thingy for NT for the first implementation.

> >Mailslots have no security mechanism so they wouldn't be the
> >TL I would choose for NT/W2K/XP.
> 
> Don't mail slots have the same security mechanism as files?

Yes but that's not what I'm talking about.  I'm talking about
changing user context on behalf of the client which is a very
important security feature.  That's NT only of course: The
server is running under LocalSystem account so it's MIGHTY!
But it shouldn't.  Under 99% of the conditions it would be
appropriate to run in the user context the client is running
in.  Especially if the server tries to change ownership of
objects and such stuff, it should have the access rights of
client only.  At least it should _know_ these rights.

We _could_ do that by sending user information inside of
our HL protocol but that's not `security' since that could
be faked by a malicious client.

So, the protocols which support that already on the Win32 API
level are:

- Named Pipes:	ImpersonateNamedPipeClient()
- DDE:		DdeImpersonateClient(), ImpersonateDdeClientWindow()
- RPC:		RpcImpersonateClient()
- COM:		IServerSecurity and IClientSecurity Interface.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.