[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

ACLs null on NT



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm new here, I'm reviewing the code and spec, trying to find out more
about bug 98 (WindowsBufferProblems wiki page).  Here is an unrelated
observation, constructive feedback about how to improve security for Tor
on NT a little.

I notice that NULL ACLs are being used.  Libevent's win32-code/misc.c's
socketpair() calls CreateNamedPipe() and CreateFile(), both of which
have their last parameter, lpSecurityAttributes, set to NULL.  With no
ACL, the process gets the default ACL.  I believe this means that
multiple user groups gets write access, and Everyone gets read access
when NULL is specified as the ACL (forcing the default ACL with
appropriate ACEs).

Also socketpair() it calls SetNamedPipeHandleState() but doesn't check
the return code, not ACL-related but it should be fixed.

Tor's or/main.c's tor_init() checks if it is being run as root/admin,
but only for non-NT codepath, no control flow change, just fyi spew.

The code should be fixed to explicitly set ACLs, the SDK has samples
that show this. Or at least the spec should be updated to reduce NT
security expectations to be theoretical like BSD. Giving the NT Tor
service a separate user account to help isolate things would be better.

Sorry, no patches. Back to bug 98...

Thanks,
Lee

Tor control-spec excerpt:
- -----snip-----
Write a named socket in tor's data-directory or in some other location;
rely on the OS to ensure that only authorized users can open it.  (NOTE:
the Linux unix(7) man page suggests that some BSDs don't enforce
authorization.) If the OS has named sockets, and implements
authentication, trust all users who can read Tor's data directory.
- -----snip-----

CreateNamedPipe excerpt:
- -----snip-----
If lpSecurityAttributes is NULL, the named pipe gets a default security
descriptor and the handle cannot be inherited.  The ACLs in the default
security descriptor for a named pipe grant full control to the
LocalSystem account, administrators, and the creator owner.  They also
grant read access to members of the Everyone group and the anonymous
account.
- -----snip-----

CreateNamedPipe excerpt:
- -----snip-----
To create an instance of a named pipe by using CreateNamedPipe, the user
must have FILE_CREATE_PIPE_INSTANCE access to the named pipe object.  If
a new named pipe is being created, the access control list (ACL) from
the security attributes parameter defines the discretionary access
control for the named pipe.
- -----snip-----

CreateFile excerpt:
- -----snip-----
For backward compatibility purposes, CreateFile does not apply Windows
2000 inheritance rules when you specify a security descriptor in
lpSecurityAttributes.  To support inheritance on Windows 2000 and later,
APIs that later query the security descriptor of this object may
heuristically determine and report that inheritance is in effect.  See
Automatic Propagation of Inheritable ACEs for more information about
inheritance rules in Windows 2000 and later operating systems, and how
they differ from previous versions of Windows.
- -----snip-----

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fs/createfile.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ipc/base/createnamedpipe.asp

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkTXrvgACgkQw3D+nSm51yjGNQCgsyhxHDfVWCIqr+2pPfy1TIem
ZSgAn0URn6zIUxAI+SHzZXJb+Ha35qns
=dbkq
-----END PGP SIGNATURE-----