From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.134]) by sourceware.org (Postfix) with ESMTPS id 79B9E3857822 for ; Fri, 30 Oct 2020 09:20:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 79B9E3857822 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=cygwin.com Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=corinna-cygwin@cygwin.com Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue011 [212.227.15.167]) with ESMTPSA (Nemesis) id 1Mati7-1jw3d11CDz-00cTGT for ; Fri, 30 Oct 2020 10:20:20 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id 5C21AA81848; Fri, 30 Oct 2020 10:20:19 +0100 (CET) Date: Fri, 30 Oct 2020 10:20:19 +0100 From: Corinna Vinschen To: cygwin-developers@cygwin.com Subject: Re: AF_UNIX status report Message-ID: <20201030092019.GW5492@calimero.vinschen.de> Reply-To: cygwin-developers@cygwin.com Mail-Followup-To: cygwin-developers@cygwin.com References: <1d0ea5dc-7e9b-d8fe-5f6e-da7a799a3b13@cornell.edu> <20201027094340.GJ5492@calimero.vinschen.de> <0f945b4c-aa30-e08e-9f86-d4b41279ba10@pismotec.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <0f945b4c-aa30-e08e-9f86-d4b41279ba10@pismotec.com> X-Provags-ID: V03:K1:K+QtdN0b4xh3mK+ykEx7UnUzwnOTFPA1WRpcjEnjSfw/9Jn/Bmg kabKHExMTHJzH5WUwWw1+kUBPSJNqcnvxdgy7UnuJfr3gu/1wOUGjP4PZIMLOKrIt2v4Dz3 GMrX1iVhBVNCtjE6RPzuf0eIQsFZusoOzn6wEniQMl8tJJVtoSAarVm1Q+ui6p8WmQYt1TV F6CB6MT8K/LjuyauDImrA== X-UI-Out-Filterresults: notjunk:1;V03:K0:wIGSgr86Ou0=:om0geV4g9kawNWzn9cuapt BNaqFeZborTvN7Xe+UNsZnW8Bi6Vg/I/yZCsEUhdbR0NxHXNLXdYbv9vWxGGsAfSEJj+Wd2Oq jVet5y6KarIee/ZMgNXL7AuQWV0fvVN3f333ksGQYJhJhn0A6a7j5LKmChN3M20QRFrvtw2iN 9eef4a/U9MoXQ3e2X9lDWEF3AVoomtv+gL3zXbP++LFp+4i95SyDr1rG6YQOo2HtpphLkD5cc 4wdM7ql7SJz8AlSgKDzm8fmTbzzBxX+r3891wPkUrR1PEzKvk+0+P+ykvDR+ISa9Y/S9+FQwb ODZ3VWYY6tjimKTqX9rGBPK1EybgprGOBEmc3MKzFN2g0ZEDsVsQR5gShxTH4Co5ybpwoNUlL wCxz3rH6Pqtdvn7eNkfb1AoyWys+DJmsOTS++0FyvSj0ms8JjgGzJMHcZx6tLmV/MayX21A/M J5kk6LzvEg== X-Spam-Status: No, score=-100.9 required=5.0 tests=BAYES_00, GOOD_FROM_CORINNA_CYGWIN, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin-developers@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Cygwin core component developers mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2020 09:20:44 -0000 On Oct 29 14:53, Joe Lowe wrote: > On 2020-10-29 13:19, Ken Brown via Cygwin-developers wrote: > > On 10/27/2020 5:43 AM, Corinna Vinschen wrote: > > > On Oct 26 18:04, Ken Brown via Cygwin-developers wrote: > > > > I've made at least rudimentary implementations of all the > > > > fhandler_socket_unix functions (including those in select.cc) for which > > > > there were previously only placeholders. > > > > > > > > I've pushed everything to topic/af_unix, including a merge with > > > > master as of > > > > a couple days ago. > > > > > > > > I've cobbled together a few test programs and put them in > > > > winsup/cygwin/socket_tests on the topic/af_unix branch.  I > > > > haven't taken the > > > > time to automate the tests, so they all have to be run > > > > interactively.  There > > > > is a Makefile to build the test programs and a README.txt that > > > > shows how to > > > > run them. > > > > > > > > One thing I haven't yet done is to think about (or systematically test) > > > > datagram sockets.  I'm sure there's quite a bit of code that > > > > won't work for > > > > them. > > > > > > > > Aside from datagram sockets, there are still a few things that > > > > I'm working > > > > on, but I'm close to the point where I could use some input: > > > > > > > > 1. I've littered the code in fhandler_socket_unix.cc and select.cc with > > > > FIXME comments on which I'd like advice. > > > > > > I'll look into it. > > > > > > > 2. I haven't given any thought at all as to how to implement SCM_RIGHTS > > > > ancillary data.  I could definitely use suggestions on that > > > > before I start > > > > thrashing around. > > > > > > I have only vague ideas at that point.  Assuming we can replace the > > > socket implemantation with the pipe implementation, what we have is a > > > pipe which can impersonate the peer at least from the server side, and > > > it knows the client process.  This in turn can be used to duplicate > > > handles.  So what we could do is to define fhandler methods which create > > > a matching serialization  and deserialization of the fhandler data, plus > > > duplicating the handles for the other process, sent over the pipe as > > > admin package.  This must work in either direction, regardless if the > > > server or the client sends the SCM_RIGHTS block. > > > > This sounds reasonable. > > > > I have no experience with serialization.  Do you happen to know of a > > good example that I could look at? Unfortunately not. Probably we can just send the entire fhandler and the recipient fiddles the content in a per-class way, kind of like fhandler::dup. > I have experience building a secure implementation of SCM_RIGHTS type > functionality over named pipe on Windows. This is not a small amount of code > if you want to handle processes running as different users or privilege > levels, and if you don't want to be a source of security vulnerabilities. You're not interested to help coding this in Cygwin, by any chance? > You might consider building an implementation of SCM_RIGHTS that is only > expected to work for processes running as the same user and privilege level. > At least this would be a good starting point. This would cover the > requirements of some unix code bases that use SCM_RIGHTS , and avoids > significant security issues and complexity. This may be a good start, actually. I'd love to get full privsep working in OpenSSH, but that's not a key issue, given upstream supports the preauth-only implementation as well, and this works without SCM_RIGHTS. Corinna