From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29817 invoked by alias); 17 Oct 2014 19:29:16 -0000 Mailing-List: contact cygwin-developers-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner@cygwin.com Mail-Followup-To: cygwin-developers@cygwin.com Received: (qmail 29650 invoked by uid 89); 17 Oct 2014 19:29:14 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: mailout11.t-online.de Received: from mailout11.t-online.de (HELO mailout11.t-online.de) (194.25.134.85) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Fri, 17 Oct 2014 19:29:12 +0000 Received: from fwd03.aul.t-online.de (fwd03.aul.t-online.de [172.20.27.148]) by mailout11.t-online.de (Postfix) with SMTP id 50E085DE43D for ; Fri, 17 Oct 2014 21:29:08 +0200 (CEST) Received: from [192.168.2.108] (EY3QLZZVohg2ne5I4S6sK8bTM61IaiVF5Zr1uTW9LWpIh9OLQqUKfPnLr15l8Bvgxg@[79.224.112.39]) by fwd03.t-online.de with (TLSv1.2:ECDHE-RSA-AES256-SHA encrypted) esmtp id 1XfDD1-0UBFoW0; Fri, 17 Oct 2014 21:29:07 +0200 Message-ID: <54416E01.70309@t-online.de> Date: Fri, 17 Oct 2014 19:29:00 -0000 From: Christian Franke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: cygwin-developers@cygwin.com Subject: Re: Cygwin AF_UNIX emulation References: <544039E2.2040908@t-online.de> <20141017114911.GA27069@calimero.vinschen.de> In-Reply-To: <20141017114911.GA27069@calimero.vinschen.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2014-10/txt/msg00008.txt.bz2 Corinna Vinschen wrote: > Hi Christian, > > On Oct 16 23:34, Christian Franke wrote: >> >> Nasty detail: At least postfix sets the all AF_UNIX sockets to rw-rw-rw- and >> relies only on directory permissions (private: rwx------, public: rwx--x---) >> for access control. This is not effective on Cygwin. Due to the rw-rw-rw-, >> the 'secret' is world readable on Cygwin and another Cygwin specific patch >> is required :-) > Yeah, thanks to Windows which enables the "Bypass Traverse checking" > privilege for everyone :( At one point in 2005 I toyed with traverse > checking but eventually gave up in 2006 and reverted the stuff. This does not appear as an Se*Privilege in the token, correct? Any idea why this was added for everyone? > I'm still once in a while dreaming of how to enable traverse checking > again, in a limited fashion only affecting Cygwin processes. Combined > with a mount flag, maybe. > > But then again, if it is configurable by the user, and the user and > admin will expect this, and the default expectation will be that it's > switched off, the applications will have to adapt to bypassed traverse > checking anyway :-P > >> After new setsockopt(sd, ., SO_PEERCRED, .), AF_UNIX sockets are definitely >> vulnerable. Any local process could "guess" the TCP port and connect to any >> emulated AF_UNIX server regardless of user account. >> >> >> Two draft ideas for a new AF_UNIX emulation: >> >> 1) >> Keep the current secret+cred exchange, but handle accept() and connect() >> differently: >> >> After actual accept(): >> >> if (! recv client secret+cred) >> return abort_connection(); >> send(server secret+cred); >> set_state(connected). >> >> >> After actual connect(): >> >> send(client secret+cred); >> set_state(connected_but_secret_missing) >> >> >> Before actual recv() and getpeerid(): >> >> if (state == connected_but_secret_missing) { >> if (! recv server secret+cred) >> return abort_connection() >> set_state(connected) >> } >> >> >> Before actual send(): Do nothing special. > Yeah, both peers simply send their stuff and expect the same from > the peer, thus it's not actually a handshake but just an exchange > of information. > > On the plus side, it's pretty unlikely that a non-Cygwin process is > *expecting* a Cygwin process on the other end and as such, the info > exchange is unexpected. > >> Secrets should be different such that knowledge of client secret (send >> unconditionally) does not expose the server secret. > How so? The binding server creates the file, the secret is in the file. > Only a process which knows that this socket is connected to this file's > content would know how to fetch the secret, a malicious non-Cygwin > client wouldn't know where to look for this info. > >> In contrast to my first more 'symmetric' approach, this should support >> 'client send() before server accept()'. Could not test it with postfix yet. >> >> Unfortunately this leaves one security issue open: Client may send >> confidential data to malicious server if original server died. The client >> will recognize it too late in first receive. > In theory, a malicious server could wait for the client package and > read the content, thus it knows the socket secret and send its own > package with the secret gained from the client. That's exactly why the server bind() should write two independent secrets to the file. Receiving the secret from the client does not help the attacker to fake the server secret then. The only drawback which remains is that the client performs the send() before first recv() unconditionally. It will realize the bad server secret lately on first recv(). > >> ... >> >> >> Problem: There is no real proof that the TCP peer is the actual peer listed >> in the file. > Right. > > Btw., considering my change to call the connect side of the handshake > only when an FD_CONNECT arrives, what exactly is postfix still missing? > > The connect call itself doesn't hang anymore, and the FD_CONNECT > handshake is independent of the actually requested events (FD_READ, > FD_WRITE, etc). So, right now I don't understand why postfix would > still need to switch off the handshake. With 20141014 snapshot, it hangs in poll({client_sd, POLLOUT}, 1, -1) after a nonblocking connect() and could not be kill()ed. postfix master unconditionally starts up some services like qmgr and pickup by connecting to itself: bind(listen_sd, "public/pickup") listen(listen_sd, .); set_nonblocking(client_sd); // Cygwin 1.7.32-1 hangs here: connect(client_sd, "public/pickup"); // Snapshot 20141014 hangs here: poll({client_sd, POLLOUT}, 1, -1) // My first approach hung here: send("some initial command"); poll({listen_sd, POLLIN}, ., .) spawn("/usr/libexec/postfix/pickup"); in child process: accept(listen_sd, .); BTW: I could ITP postfix in one week or so. It would rely on the SO_PEERCRED workaround for now. Any objections? > Independently of that, I'm mulling over the idea to introduce a > sidechannel via pipe. Pipes can be used to fetch the windows PID of the > peer (GetNamedPipeClientProcessId, GetNamedPipeServerProcessId), and the > server can impersonate the client and thus fetch the user and group > information from the client's token. The client would get the uid/gid > info back from the server via the pipe or, even more secure, via > CreateRemoteThread. > > I'm still somewhat fuzzy about the details, so for now it's just > wild brainstorming... Hmm... sounds promising. Christian