Possible Security Hole in SSHD w/ CYGWIN?
Mon Feb 15 12:11:00 GMT 2016
On Feb 14 13:36, Erik Soderquist wrote:
> I think the key point is that if no network password is stored using
> the "passwd -R" option, then there should be absolutely no network
> access at all in the current code/design, not a fall through to the
> cyg_server account's network access, regardless of how much or little
> network access that account has.
The problem is this:
I'm not aware of any explicit OS call which allows the process calling
CreateProcessAsUser to drop network credentials of the *caller* in the
child process running under another user token.
In fact, I'm not even aware of any call which allows to drop network
credentials even for the calling process, and that would be the wrong
thing to do anyway.
This is a clear cut case of "I need help" and "Patches gratefully
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: not available
More information about the Cygwin