Mail Archives: cygwin/2001/05/21/20:11:54
On Tue, May 22, 2001 at 09:35:22AM +1000, Robert Collins wrote:
>Egor Duda has spent some time researching security aspects of cygwin
>(and patching as he goes). So he's a more authoritative source.
>
>I know of at least one showstopper: It's currently possible for any
>cygwin process to get a win32 handle with full access rights to any
>other cygwin process. See the archives of the developer list for more
>detail. (search on daemon - Egor has proposed a daemon to resolve the
>issue).
Right. I cannot emphasize strongly enough that Cygwin is NOT A SECURE
ENVIRONMENT. Do NOT trust it with sensitive data. It is trivially
easy to hack.
cgf
>> -----Original Message-----
>> From: joetesta AT hushmail DOT com [mailto:joetesta AT hushmail DOT com]
>> Sent: Tuesday, May 22, 2001 1:10 PM
>> To: bugtraq AT securityfocus DOT com; cygwin AT cygwin DOT com
>> Subject: The security of OpenSSH with cygwin.
>>
>>
>> ----- Begin Hush Signed Message from joetesta AT hushmail DOT com -----
>>
>> Hi --
>>
>> I am about to undertake a project using OpenSSH with
>> cygwin (http://www.cygwin.com/).
>> Before doing so, I would like to ask if there is anyone who
>> has done any
>> security research on this combination already.
>> I have never seen any advisories on the BUGTRAQ mailing
>> list, and this
>> makes me a little uneasy (generally, I don't trust software
>> that hasn't
>> had at least one security fix in its history, unless I am its
>> author =]
>> ). I have been trained enough to realize that complexity is
>> security's
>> enemy, and using the cygwin library to wrap the UNIX API with
>> the Window's
>> API definitely makes things more complex.
>> So, I'd like to know how many people have *at least
>> tried* to find holes
>> in an OpenSSH-cygwin combo. I think I would feel a little
>> better if I know
>> that an honest attempt was made. Thanks in advance.
>>
>>
>> - Joe Testa
>>
>> e-mail: joetesta AT hushmail DOT com
>> web page: http://hogs.rit.edu/~joet
>> AIM: LordSpankatron
>>
>>
>> ----- Begin Hush Signature v1.3 -----
>> Eb5nyu04VZj5/7cmeklvZ79BqUGto/ln3c8Cy4H5R2EsgxhXqTwbDxpszhCGF/+6BrJ/
>> oYY1nBWSKT97BDy017HHfWt0JBhZy4wfP9VbqmRzFx2QAJr6dVS9VRf9/5DWVM4+7SSX
>> 6vZvBPiygdYujzlDmEIrziP9PGXL8+/fRj98pgGE53uKc9yIcDKmef1Uf1q7z5pPy8O7
>> PE+IRCtF7jUtr4PTOV935d9499lXvM547MDvvx4394WDskG8prKyYaE9uZKc1wzCA0ob
>> z7Gvhz4i9jAZIXXJ+m8Z4EU3n9gLpy/gz25grXO7ktH54ZEDdmQ25j3za+bIFCZ3u93w
>> VbbYxKO6rQOjvPWTatcPHGC6TwBh+JxIEoVlLMVyIbjncamNL4Xd3odpcyd4Ukn6bItU
>> sUnVLMIV6AaB693fKmrw30nywV6fKtrQbmr6appLvByCzXbS7X2DMrvLeL+dbODTTDSo
>> eajwTcTPS5LdU8ZeDVs9rLnTC4HFRVFTaUwk1w34DWHN
>> ----- End Hush Signature v1.3 -----
>>
>>
>> This message has been signed with a Hush Digital Signature.
>> To verify the signature, please go to www.hush.com/tools
>>
>>
>> Free, encrypted, secure Web-based email at www.hushmail.com
>>
>
>--
>Want to unsubscribe from this list?
>Check out: http://cygwin.com/ml/#unsubscribe-simple
--
cgf AT cygnus DOT com Red Hat, Inc.
http://sources.redhat.com/ http://www.redhat.com/
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -