Is there someone offering cygwin paid support?

Warren Young
Thu Sep 20 09:07:00 GMT 2007

Will Parsons wrote:
> why would cygwin be less secure?

The more moving parts, the more things there are to break.

Postulate that you have a program that's been audited to the point that 
you're absolutely certain it's 100% secure when run on Linux.

Then you port it to Cygwin.  Is it secure?  The answer cannot be "Yes" 
until you have also audited Cygwin itself to the same level of assurance.

Just one way it could fail is if there is a buffer overflow in the 
implementation of one of Cygwin's interfaces, and your "100% secure" 
program calls it.  It's then only a matter of time for a skilled hacker 
to turn that buffer overflow into an arbitrary code execution 
vulnerability.  At minimum, the hacker will then have the privileges of 
the program.  Once the hacker has local access, chances are good that he 
can parlay that into a privilege escalation attack, and it's Game Over 
for you.

Security is hard.

Unsubscribe info:
Problem reports:

More information about the Cygwin mailing list