This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: Silly question about OpenSSH and Cygwin


Wednesday, 08 August, 2001 wrote:

jndc> I'm going to cross my fingers and hope this question hasn't been asked before.

jndc> Is Cygwin still inherently insecure on a multiuser system, or is this a FAQ
jndc> entry that hasn't been revised in a while?

yes. it's still insecure. i don't know any ways to exploit cygwin
remotely, but doing so locally is rather easy. see thread
if you want details.

making cygwin secure requires architectural changes and adding special
"cygwin daemon" which will take care of inter-process security stuff.
there's a prototype of such daemon posted in, but
i have to admit it's a bit "unpractical", i.e. its interface is not
very flexible. it works for me for several months now, though.

and i should stress out that it's _only_one_ of known security holes
in cygwin.

jndc> If it's still correct, is there any way to lock it down, or
jndc> protect Cygwin from non-admin users? The new system I was
jndc> prototyping relies on sshd running on all the  workstations. I
jndc> see lots of other folks using OpenSSH on Cygwin for a variety of
jndc> things, so I'm going to guess  that I missed something.

they probably don't care much ( not being paranoid :) ), or they can
trust users that logon locally on machines with sshd.

jndc> But -- we're working in a reasonably security-conscious environment, and the
jndc> last thing I want to do is explain myself to an audit team when
jndc> they find out I deployed new code that's hackable by anyone
jndc> logged into the workstations locally.

then you can help us with audit of cygwin's security! :) i believe any
potential security hole in cygwin should and _can_ be fixed, but
1) we must know about this particular hole.
2) it may take time and certain amount of efforts to fix it.

Egor.   ICQ 5165414 FidoNet 2:5020/496.19

Unsubscribe info:
Bug reporting:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]