Return-Path: 
 <dev-return-25511-apmail-apr-dev-archive=apr.apache.org@apr.apache.org>
X-Original-To: apmail-apr-dev-archive@www.apache.org
Delivered-To: apmail-apr-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 9E24F103FF
	for <apmail-apr-dev-archive@www.apache.org>;
 Mon, 14 Oct 2013 08:35:40 +0000 (UTC)
Received: (qmail 58031 invoked by uid 500); 14 Oct 2013 08:35:38 -0000
Delivered-To: apmail-apr-dev-archive@apr.apache.org
Received: (qmail 57611 invoked by uid 500); 14 Oct 2013 08:35:35 -0000
Mailing-List: contact dev-help@apr.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:dev@apr.apache.org>
List-Help: <mailto:dev-help@apr.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@apr.apache.org>
List-Id: <dev.apr.apache.org>
Delivered-To: mailing list dev@apr.apache.org
Received: (qmail 57590 invoked by uid 99); 14 Oct 2013 08:35:33 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Oct 2013 08:35:33 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of ivan@visualsvn.com designates
 209.85.212.177 as permitted sender)
Received: from [209.85.212.177] (HELO mail-wi0-f177.google.com)
 (209.85.212.177)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Oct 2013 08:35:27 +0000
Received: by mail-wi0-f177.google.com with SMTP id ey11so1345204wid.4
        for <dev@apr.apache.org>; Mon, 14 Oct 2013 01:35:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=visualsvn.com; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=2pP4zo5TFBw/UYNtkPmIqpnjOVhkx0/IyzempFxDjUI=;
        b=Sadir7sYZUOGmPputgZl3HX7MkJQVrG7Z3js0FdQbVW3EUdoaXkmeLm5y6F1lm2XZr
         YLEbMF6CVQhUyU3PsH5APovR78Rdrriu3mKJ/tLnxCnNKfCkOJyGCb2ZBoj09LxeQrbe
         cIGyMFg5xmgBITVJvmWmixX1m4G6r56v5EDac=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc:content-type;
        bh=2pP4zo5TFBw/UYNtkPmIqpnjOVhkx0/IyzempFxDjUI=;
        b=fz9QKrX3F8oCir8pk3YYDGkKrK1WL9ru48p1H6t/ZPRSqJDVn1T/mT+Y8HsNrGUwLW
         ADRAcwHXxydLIHwtaLTOQi8pbuEHJ5vJSXug86ReCQHbzIGfUhbUzlkLEd4JFDX1kxeJ
         Drxv8Zbg/wNNI7hRATd30E7nj1WS9MNVXQuebHXGbGtD9RcH2XvA1ZysA3no1Kq+QnKn
         CC6Ex8LXsA2FbKvHMq3ZUqi8AqaJPNdUawDDiH2tL7mzY74T+ST2h5IpkgWHZyynxW1R
         g+mh2v465+txcgaxkJ5A8kwRGFKQlnL4sNpzZaaqVKe7xBGau1jukM/4boia3MbFcyV1
         xuww==
X-Gm-Message-State: 
 ALoCoQkwtBlx/F7f20HRZvmMZNoLaX6u/HtotBB+jEEPjP/TaeUIYDKWSgEQ50yGx4iEXXxQtEGx
X-Received: by 10.180.182.82 with SMTP id ec18mr13511725wic.13.1381739707461;
 Mon, 14 Oct 2013 01:35:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.56.35 with HTTP; Mon, 14 Oct 2013 01:34:47 -0700 (PDT)
In-Reply-To: 
 <CAKUrXK6zM_LCWC5-+UQZ-C7JNWXM8ym+rGRLVFQwgRY4mT71=Q@mail.gmail.com>
References: 
 <CAKUrXK6zM_LCWC5-+UQZ-C7JNWXM8ym+rGRLVFQwgRY4mT71=Q@mail.gmail.com>
From: Ivan Zhakov <ivan@visualsvn.com>
Date: Mon, 14 Oct 2013 12:34:47 +0400
Message-ID: 
 <CABw-3Yca2ebVzmQ7O8quw0E8YOMyQZwYtBNr9K-ho0wRbhk_ig@mail.gmail.com>
Subject: Re: [PATCH] "Global" vs. "Local" prefix on named mutexes and named
 shm on Windows
To: Jeff Trawick <trawick@gmail.com>
Cc: APR Developer List <dev@apr.apache.org>
Content-Type: text/plain; charset=UTF-8
X-Virus-Checked: Checked by ClamAV on apache.org

On 12 October 2013 18:48, Jeff Trawick <trawick@gmail.com> wrote:
> With APR on Windows, creating shared memory or a cross-process mutex with a
> "file" name parameter results in a resource being created with a "Global"
> prefix, which in turn restricts the call to Administrator (or more
> accurately, a thread with the specific privilege
> to make that call; let's just call that "Administrator" for simplicity).  (I
> think this is just for shared memory???)
>
> A typical way to encounter this is that some dude in httpd-land decides that
> mod_lua should start creating APR shared memory at startup and a filename
> should always be specified, and suddenly httpd running as you on Windows can
> no longer use mod_lua.  Any number of other httpd modules try do something
> similar (though I haven't investigated if there's a way to configure around
> it); additionally, APR's testshm won't work as a regular user.
>
> The attached patch uses "Local" as the prefix if the calling thread doesn't
> have the necessary privilege to create one under the global namespace.  But
> this function is also used for attach-type operations,
>
> Has anyone investigated this before?
>
Jeff,

It looks like very dangerous change. Local and Global namespaces are
completely separate, thus priviliged process could not access
shm/mutex created by unprivileged process. Objects in local kernel
namespace are per session, while objects in global kernel namespace
are shared across all sessions, that's why process need additional
privilege to create them.

Services are started in separate "session 0", while interactive
processes uses dedicated session for every user/rdp connection.

Your patch may also break atomic "create or open" code:
[[
rv == apr_shm_create();
if (rv == ALREADY_EXIST)
   rv = apr_shm_attach()
]]

Suppose Windows services created shm object in global namespace,
interactive process wanted to access it using code above.
apr_shm_create() detects that process is not privileged and creates
shm object in local namespace, which is wrong IMHO.

Change process privileges as side effect of apr_shm_attach() is also
nasty behavior imho.

-- 
Ivan Zhakov