How secure is Cygwin in a multi-user environment?
Corinna Vinschen
vinschen@redhat.com
Wed Mar 2 09:12:00 GMT 2005
On Mar 1 21:33, Pierre A. Humblet wrote:
> [...]
> This isn't up to date any more, the hole described above is now fixed.
> So the entry should be updated. I suggest replacing it with the following:
>
> How secure is Cygwin in a multi-user environment?
>
> As of version 1.5.13, the Cygwin developers are not aware of any feature
> in the cygwin dll that would allow users to gain privileges or to access
> objects
> to which they have no rights under Windows.
> Cygwin processes share some variables and are thus easier targets of
> denial of service type of attacks.
What I really like to see is the hint that we don't give any guarantee
for being "secure".
> Not sure what to say, if anything, about cygserver.
Cygserver checks the impersonation token after calling
ImpersonateNamedPipeClient, so I would think cygserver is reasonably
secure. No guarantee, of course.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader mailto:cygwin@cygwin.com
Red Hat, Inc.
More information about the Cygwin-developers
mailing list