Mail Archives: cygwin/2001/05/22/09:11:55
Will just using the SSH client open you up to attacks?
Thanks,
Noel
On Tue, May 22, 2001 at 09:35:22AM +1000, Robert Collins wrote:
>Egor Duda has spent some time researching security aspects of cygwin
>(and patching as he goes). So he's a more authoritative source.
>
>I know of at least one showstopper: It's currently possible for any
>cygwin process to get a win32 handle with full access rights to any
>other cygwin process. See the archives of the developer list for more
>detail. (search on daemon - Egor has proposed a daemon to resolve the
>issue).
Right. I cannot emphasize strongly enough that Cygwin is NOT A SECURE
ENVIRONMENT. Do NOT trust it with sensitive data. It is trivially
easy to hack.
cgf
>> -----Original Message-----
>> From: joetesta AT hushmail DOT com [mailto:joetesta AT hushmail DOT com]
>> Sent: Tuesday, May 22, 2001 1:10 PM
>> To: bugtraq AT securityfocus DOT com; cygwin AT cygwin DOT com
>> Subject: The security of OpenSSH with cygwin.
>>
>>
>> ----- Begin Hush Signed Message from joetesta AT hushmail DOT com -----
>>
>> Hi --
>>
>> I am about to undertake a project using OpenSSH with
>> cygwin (http://www.cygwin.com/).
>> Before doing so, I would like to ask if there is anyone who
>> has done any
>> security research on this combination already.
>> I have never seen any advisories on the BUGTRAQ mailing
>> list, and this
>> makes me a little uneasy (generally, I don't trust software
>> that hasn't
>> had at least one security fix in its history, unless I am its
>> author =]
>> ). I have been trained enough to realize that complexity is
>> security's
>> enemy, and using the cygwin library to wrap the UNIX API with
>> the Window's
>> API definitely makes things more complex.
>> So, I'd like to know how many people have *at least
>> tried* to find holes
>> in an OpenSSH-cygwin combo. I think I would feel a little
>> better if I know
>> that an honest attempt was made. Thanks in advance.
>>
>>
>> - Joe Testa
>>
>> e-mail: joetesta AT hushmail DOT com
>> web page: http://hogs.rit.edu/~joet
>> AIM: LordSpankatron
>>
>>
>> ----- Begin Hush Signature v1.3 -----
>> Eb5nyu04VZj5/7cmeklvZ79BqUGto/ln3c8Cy4H5R2EsgxhXqTwbDxpszhCGF/+6BrJ/
>> oYY1nBWSKT97BDy017HHfWt0JBhZy4wfP9VbqmRzFx2QAJr6dVS9VRf9/5DWVM4+7SSX
>> 6vZvBPiygdYujzlDmEIrziP9PGXL8+/fRj98pgGE53uKc9yIcDKmef1Uf1q7z5pPy8O7
>> PE+IRCtF7jUtr4PTOV935d9499lXvM547MDvvx4394WDskG8prKyYaE9uZKc1wzCA0ob
>> z7Gvhz4i9jAZIXXJ+m8Z4EU3n9gLpy/gz25grXO7ktH54ZEDdmQ25j3za+bIFCZ3u93w
>> VbbYxKO6rQOjvPWTatcPHGC6TwBh+JxIEoVlLMVyIbjncamNL4Xd3odpcyd4Ukn6bItU
>> sUnVLMIV6AaB693fKmrw30nywV6fKtrQbmr6appLvByCzXbS7X2DMrvLeL+dbODTTDSo
>> eajwTcTPS5LdU8ZeDVs9rLnTC4HFRVFTaUwk1w34DWHN
>> ----- End Hush Signature v1.3 -----
>>
>>
>> This message has been signed with a Hush Digital Signature.
>> To verify the signature, please go to www.hush.com/tools
>>
>>
>> Free, encrypted, secure Web-based email at www.hushmail.com
>>
>
>--
>Want to unsubscribe from this list?
>Check out: http://cygwin.com/ml/#unsubscribe-simple
--
cgf AT cygnus DOT com Red Hat, Inc.
http://sources.redhat.com/ http://www.redhat.com/
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan Chase & Co., its
subsidiaries and affiliates.
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -