windows: Enable default security parameters on file creation to avoid…

… named pipe exploit Fixes rust-lang#42036 As noted in [this paper][1], the threat model for the exploit is a priveleged Rust process which accepts a file path from a malicious program. With this exploit, the malicious program can pass a named pipe to the priveleged process and gain its elevated priveleges. The fix is to change the default OpenOptions to contain the proper security flags. [The .NET FileStream][2] has this same behavior by default. We're using the `SecurityIdentification` security level which is more permissive, but still blocks the exploit. This is technically a breaking change. If someone were using a named pipe to impersonate a program *on purpose*, they would have to add `.security_qos_flags(0)` to their `OpenOptions` to keep working. [1]: http://www.blakewatts.com/namedpipepaper.html [2]: http://referencesource.microsoft.com/#mscorlib/system/io/filestream.cs,837
mattico · Sep 14, 2017 · d55c2d7 · d55c2d7
1 parent 824952f
commit d55c2d7
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/src/libstd/sys/windows/c.rs b/src/libstd/sys/windows/c.rs
@@ -117,6 +117,7 @@ pub const FILE_GENERIC_WRITE: DWORD = STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA |
 pub const FILE_FLAG_OPEN_REPARSE_POINT: DWORD = 0x00200000;
 pub const FILE_FLAG_BACKUP_SEMANTICS: DWORD = 0x02000000;
 pub const SECURITY_SQOS_PRESENT: DWORD = 0x00100000;
+pub const SECURITY_IDENTIFICATION: DWORD = 0x00010000;
 
 pub const FIONBIO: c_ulong = 0x8004667e;
 

diff --git a/src/libstd/sys/windows/fs.rs b/src/libstd/sys/windows/fs.rs
@@ -184,7 +184,7 @@ impl OpenOptions {
             access_mode: None,
             share_mode: c::FILE_SHARE_READ | c::FILE_SHARE_WRITE | c::FILE_SHARE_DELETE,
             attributes: 0,
-            security_qos_flags: 0,
+            security_qos_flags: c::SECURITY_SQOS_PRESENT | c::SECURITY_IDENTIFICATION,
             security_attributes: 0,
         }
     }