Mail Archives: cygwin/2003/03/15/20:41:13
Oops! Wrong button! There are soooo many!
günter strubinsky
<strubinsky AT acm DOT org>
Tel: 402.212.0196
> -----Original Message-----
> From: günter strubinsky [mailto:strubinsky AT acm DOT org]
> Sent: Saturday, March 15, 2003 6:51 PM
> To: 'roland'
> Subject: RE: disable access to /cygdrive/c ?
>
> To go below root requires 'hacker intention' and since cygwin is a shell
> around your OS including file security, you can't get more security than
> the original file system allows.
>
> Why would you want a fat32 filesystem in the first place? Your security is
> already infringed from the windows level; meaning: IF they want to hack
> your machine and couldn't under cygwin, they could under win.
>
> An option I could think of is make a virtual driveletter in windows
> pointing to the directory of your choice. Share that 'drive' only. Access
> either via win2k or cygwin is only possible down to the bare driveletter
> (which is actually a directory somewhere on your drive).
>
> If you assume malicious intent disconnect your computer. You don't want
> anybody in that case to access your /bin directory and replace system
> files.
>
> I think the solution is not a cygwin issue but a windows issue.
>
> Concluding: If you set a directory to a virtual drive letter and share
> this 'drive' it doesn't matter what OS wants to access the directory tree.
> They can't get below the drive letter even though the drive letter points
> to a directory of the nth level. Another approach is the DFS (distributed
> File System) in which you can even combine directories from different
> machines on different drives into one virtual directory tree; it's
> failsafe (AD sync's your servers) and incompatible to other os's which
> enhances security ;) . That means c:\cygwin could be changed to x:\ (the
> virtual drive pointing to c:\cygwin. There is no ' cd ..' below x:\ !)
>
> According to what you wrote however, that
> someone should be able to 'do whatever he wants inside c:\cygwin' you
> should probably first make up your mind whether you trust this person or
> not. If you do, it's no issue, if you don't, there's always a way.
> Especially in fat32. I know of 'things' you can do also in ntfs that would
> get you run for an axe to lobotomize your network card off the box.
>
> günter strubinsky
> <strubinsky AT acm DOT org>
> Tel: 402.212.0196
>
> > -----Original Message-----
> > From: cygwin-owner AT cygwin DOT com [mailto:cygwin-owner AT cygwin DOT com] On Behalf
> > Of roland
> > Sent: Saturday, March 15, 2003 12:51 PM
> > To: cygwin AT cygwin DOT com
> > Subject: disable access to /cygdrive/c ?
> >
> > Hello,
> >
> > is there a way to completly disable access tho paths below /cygdrive ?
> > i.e. to make /cygdrive/* invisible/inaccessible ?
> >
> > I have setup sshd on my machine and now some developer can ssh into my
> > machine
> > and help me with developing stuff under cygwin.
> > He can do what he wants inside c:\cygwin - but he shouldn`t be able to
> > access other
> > paths. Is it possible that i can hide that from him ?
> > Shure, I could set appropriate ntfs acls - but what if i have fat32
> based
> > filesystem?
> >
> > regards
> > Roland
> >
> > pS:
> > shure -this may not be bullet proof since he can execute code on my
> > computer - but at
> > least it is not too simple and needs "hacker intention".
> >
> >
> > --
> > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> > Bug reporting: http://cygwin.com/bugs.html
> > Documentation: http://cygwin.com/docs.html
> > FAQ: http://cygwin.com/faq/
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -