How secure is Cygwin in a multi-user environment?
Pierre A. Humblet
Pierre.Humblet@ieee.org
Thu Mar 3 05:10:00 GMT 2005
At 12:03 PM 3/2/2005 -0500, Igor Pechtchanski wrote:
>On Wed, 2 Mar 2005, Corinna Vinschen wrote:
>
>> On Mar 1 21:33, Pierre A. Humblet wrote:
>> > [...]
>> > This isn't up to date any more, the hole described above is now fixed.
>> > So the entry should be updated. I suggest replacing it with the
following:
>> >
>> > How secure is Cygwin in a multi-user environment?
>> >
>> > As of version 1.5.13, the Cygwin developers are not aware of any feature
>> > in the cygwin dll that would allow users to gain privileges or to access
>> > objects
>> > to which they have no rights under Windows.
>> > Cygwin processes share some variables and are thus easier targets of
>> > denial of service type of attacks.
>>
>> What I really like to see is the hint that we don't give any guarantee
>> for being "secure".
>
>How about "Cygwin is as secure as the Windows it runs on"?
> Igor
>--
How about:
As of version 1.5.13, the Cygwin developers are not aware of any feature
in the cygwin dll that would allow users to gain privileges or to access
objects to which they have no rights under Windows. However there is no
guarantee that Cygwin is as secure as the Windows it runs on.
Cygwin processes share some variables and are thus easier targets of
denial of service type of attacks.
Pierre
More information about the Cygwin-developers
mailing list