From: Ken Brown <kbrown@cornell.edu>
To: cygwin-developers@cygwin.com
Subject: Re: AF_UNIX status report
Date: Sun, 8 Nov 2020 17:40:17 -0500 [thread overview]
Message-ID: <99e02f87-1c58-ce6f-58e0-0deb26c4c899@cornell.edu> (raw)
In-Reply-To: <d829b45d-982f-70e4-4670-378b5ca09afe@cornell.edu>
On 11/7/2020 5:25 PM, Ken Brown via Cygwin-developers wrote:
> On 11/6/2020 4:12 AM, Corinna Vinschen wrote:
>> On Nov 5 18:41, Ken Brown via Cygwin-developers wrote:
>>> On 11/5/2020 12:21 PM, Corinna Vinschen wrote:
>>>> On Nov 5 09:23, Ken Brown via Cygwin-developers wrote:
>>>>> OK, here's how I imagine this working:
>>>>>
>>>>> A process wants to send a file descriptor fd, so it creates a msghdr with an
>>>>> SCM_RIGHTS cmsghdr and calls sendmsg. The latter creates and sends an admin
>>>>> packet A containing the fhandler for fd, and then it sends the original
>>>>> packet P.
>>>>>
>>>>> At the receiving end, recvmsg sees packet A first (recvmsg is always
>>>>> checking for admin packets anyway whenever it's called). It stores the
>>>>> fhandler somewhere. When it then reads packet P, it retrieves the stored
>>>>> fhandler, fiddles with it (duplicating handles, etc.), and creates the new
>>>>> file descriptor.
>>>>
>>>> Actually, this needs to be implemented in a source/dest-independent
>>>> manner. Only the server of the named pipe can impersonate the client.
>>>> So the server side should do the job of duplicating the handles. If the
>>>> sever is also the source of SCM_RIGHTS, it should send the fhandler with
>>>> already duplicated handles.
>>>
>>> The only example of pipe client impersonation I can find in the Cygwin code
>>> is in fhandler_pty_master::pty_master_thread. Is this a good model to
>>> follow? If not, can you point me to other examples somewhere?
>>>
>>> AFAICT, the only reason for the impersonation is to check that the client
>>> has appropriate permissions before trying to duplicate handles from the
>>> server process to the client process. Is that right? What would go wrong
>>> if we didn't check this? Is the issue that the client process would have
>>> handles that it can't access?
>>
>> Maybe I'm overthinking this. A typical scenario for SCM_RIGHTS
>> involves a privileged and an unprivileged process. The privileged
>> process sends an fd to the unprivileged process. In this case the
>> sending process has admin rights anyway and can duplicate the handles
>> into the receiving process without having to impersonate.
>>
>> Either way, if both processes are running under the same user, or at
>> least one of the processes has admin rights, no impersonation is
>> required. But since we don't know if the admin process is the sender or
>> the receiver, both sides must be capable of duplicating the handles.
>>
>> So, only if both processes are unprivileged, we would need to
>> impersonate. This will almost always fail, unless both processes have
>> been started from (for instance) the same ssh session or one of the user
>> accounts has the SeImpersonatePrivilege privilege.
>>
>> Maybe we should just skip the latter scenario for a start.
>
> Good! That way I don't have to get sidetracked learning about impersonation.
>
> Here's another issue involving serialization. I'm not sure it's enough to just
> fiddle with the handles and then send the fhandler. We also need to send the
> strings that are in the path_conv member of the fhandler. [I just noticed that
> you added path_conv serialization/deserialization recently, which should help
> with this.] This increases the size of the data to the point where I think we
> need to send more than one packet when we're sending SCM_RIGHTS.
>
> Alternatively, instead of trying to send the fhandler and string(s) over the
> socket, we could store a copy of the fhandler, along with the serialized pc, in
> a named shared memory block. The name could be something like
> "scm_rights.<installation_key>.<device>.<inode>". Then the sender would only
> have to send the device and inode, and the receiver could open the shared memory
> and reconstruct everything.
Apart from this annoying issue of packets being too long, here's how I imagine
serialization/deserialization working. All the code below is untested and
probably full of errors, but I hope it gives the idea. Note: get_size() below
is the virtual method that I called size() in an earlier message.
struct fh_flat
{
fhandler_union fhu;
size_t name_len;
char data[0];
};
/* Prerequisites: Modify fhandler_*::dup to take an optional winpid
argument specifying the process into which we want to duplicate
handles. Similarly modify dtable::dup_worker. */
void *
serialize (int fd, DWORD winpid, size_t &len)
{
fh_flat *fhf;
size_t nlen = 0;
cygheap_fdget cfd (fd);
if (cfd < 0)
{
set_errno (EBADF);
len = 0;
return NULL;
}
/* Make a copy of the fhandler with handles duplicated for winpid. */
fhandler_base *copy = cygheap->fdtab->dup_worker (cfd, 0, winpid);
if (copy->get_name ())
nlen = strlen (copy->get_name ()) + 1;
len = sizeof (fh_flat) + nlen;
fhf = (fh_flat *) cmalloc (HEAP_FHANDLER, len);
if (!fhf)
{
set_errno (ENOMEM);
len = 0;
return NULL;
}
memcpy (&fhf->fhu, copy, copy->get_size ());
fhf->name_len = nlen;
if (nlen)
strcpy (fhf->data, copy->get_name ());
return fhf;
}
/* Return new fd, or -1 on error. */
int
deserialize (void *bufp)
{
fh_flat *fhf = (fh_flat *) bufp;
cygheap_fdnew cfd;
if (cfd < 0)
return -1;
/* Create an fhandler of the right derived class. */
device dev = ((fhandler_base) fhf->fhu).dev ();
fhandler_base *fh = build_fh_dev (dev);
if (!fh)
{
debug_printf ("build_fh_dev failed");
return -1;
}
memcpy (fh, &fhf->fhu, fh->get_size ());
fh->set_name (fhf->data);
cfd = fh;
return cfd;
}
Does this approach look OK?
Ken
next prev parent reply other threads:[~2020-11-08 22:41 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-26 22:04 Ken Brown
2020-10-27 9:43 ` Corinna Vinschen
2020-10-29 20:19 ` Ken Brown
2020-10-29 21:53 ` Joe Lowe
2020-10-30 9:20 ` Corinna Vinschen
2020-11-03 15:43 ` Ken Brown
2020-11-04 12:03 ` Corinna Vinschen
2020-11-05 14:23 ` Ken Brown
2020-11-05 17:21 ` Corinna Vinschen
2020-11-05 19:01 ` Ken Brown
2020-11-05 19:54 ` Joe Lowe
2020-11-06 4:02 ` Ken Brown
2020-11-05 23:41 ` Ken Brown
2020-11-06 9:12 ` Corinna Vinschen
2020-11-07 22:25 ` Ken Brown
2020-11-08 22:40 ` Ken Brown [this message]
2020-11-09 9:08 ` Corinna Vinschen
2020-11-17 19:57 ` Ken Brown
2020-11-18 8:34 ` Corinna Vinschen
2020-11-22 20:44 ` Ken Brown
2020-11-23 8:43 ` Corinna Vinschen
2020-11-26 17:06 ` Ken Brown
2020-12-15 17:33 ` Ken Brown
2020-12-16 9:29 ` Corinna Vinschen
2020-12-16 21:09 ` Ken Brown
2020-12-17 15:54 ` Ken Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=99e02f87-1c58-ce6f-58e0-0deb26c4c899@cornell.edu \
--to=kbrown@cornell.edu \
--cc=cygwin-developers@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).