Re: AF_UNIX status report

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

On Oct 29 14:53, Joe Lowe wrote:
> On 2020-10-29 13:19, Ken Brown via Cygwin-developers wrote:
> > On 10/27/2020 5:43 AM, Corinna Vinschen wrote:
> > > On Oct 26 18:04, Ken Brown via Cygwin-developers wrote:
> > > > I've made at least rudimentary implementations of all the
> > > > fhandler_socket_unix functions (including those in select.cc) for which
> > > > there were previously only placeholders.
> > > > 
> > > > I've pushed everything to topic/af_unix, including a merge with
> > > > master as of
> > > > a couple days ago.
> > > > 
> > > > I've cobbled together a few test programs and put them in
> > > > winsup/cygwin/socket_tests on the topic/af_unix branch.  I
> > > > haven't taken the
> > > > time to automate the tests, so they all have to be run
> > > > interactively.  There
> > > > is a Makefile to build the test programs and a README.txt that
> > > > shows how to
> > > > run them.
> > > > 
> > > > One thing I haven't yet done is to think about (or systematically test)
> > > > datagram sockets.  I'm sure there's quite a bit of code that
> > > > won't work for
> > > > them.
> > > > 
> > > > Aside from datagram sockets, there are still a few things that
> > > > I'm working
> > > > on, but I'm close to the point where I could use some input:
> > > > 
> > > > 1. I've littered the code in fhandler_socket_unix.cc and select.cc with
> > > > FIXME comments on which I'd like advice.
> > > 
> > > I'll look into it.
> > > 
> > > > 2. I haven't given any thought at all as to how to implement SCM_RIGHTS
> > > > ancillary data.  I could definitely use suggestions on that
> > > > before I start
> > > > thrashing around.
> > > 
> > > I have only vague ideas at that point.  Assuming we can replace the
> > > socket implemantation with the pipe implementation, what we have is a
> > > pipe which can impersonate the peer at least from the server side, and
> > > it knows the client process.  This in turn can be used to duplicate
> > > handles.  So what we could do is to define fhandler methods which create
> > > a matching serialization  and deserialization of the fhandler data, plus
> > > duplicating the handles for the other process, sent over the pipe as
> > > admin package.  This must work in either direction, regardless if the
> > > server or the client sends the SCM_RIGHTS block.
> > 
> > This sounds reasonable.
> > 
> > I have no experience with serialization.  Do you happen to know of a
> > good example that I could look at?

Unfortunately not.  Probably we can just send the entire fhandler and
the recipient fiddles the content in a per-class way, kind of like
fhandler::dup.

> I have experience building a secure implementation of SCM_RIGHTS type
> functionality over named pipe on Windows. This is not a small amount of code
> if you want to handle processes running as different users or privilege
> levels, and if you don't want to be a source of security vulnerabilities.

You're not interested to help coding this in Cygwin, by any chance?

> You might consider building an implementation of SCM_RIGHTS that is only
> expected to work for processes running as the same user and privilege level.
> At least this would be a good starting point. This would cover the
> requirements of some unix code bases that use SCM_RIGHTS , and avoids
> significant security issues and complexity.

This may be a good start, actually.  I'd love to get full privsep
working in OpenSSH, but that's not a key issue, given upstream
supports the preauth-only implementation as well, and this works
without SCM_RIGHTS.


Corinna