Mail Archives: cygwin/2003/07/08/18:40:15
We would like to use a Cgywin-based OpenSSH implementation
(http://lexa.mckenna.edu/sshwindows/)
for running tasks remotely on Windows (2000, XP) systems. The systems
involved would have this
OpenSSH distribution installed on them, but not a full Cygwin distribution.
The security issue
of non-administrators being able to open the named memory-mapped files used
by Cygwin (for example,
the pinfo class) is a concern, however.
We can live with the restriction of a single-user model, where tasks on the
target system can
only be run as a user in the Administrator group. In this situation it seems
to me that some
restrictions on the SECURITY_DESCRIPTORs used for CreateFileMapping() could
be made. To test
this idea with a simple change, I changed early_init_stuff() in
exceptions.cc so set the
sec_all and sec_all_nih struct's lpSecurityDescriptor to NULL, just like the
sec_none struct
is currently.
Without this change I was able to OpenFileMapping() and MapViewOfFile() on
the pinfo memory-mapped
file as a non-administrator. With this change, I couldn't.
Now I am wondering, "Is restricting the SECURITY_DECRIPTORs for named
memory-mapped files a
reasonable way to close this vulnerability (given our willingness to settle
for single-user)?"
If it is, the next question is, "Is it good for anything else?" In a
multi-user Cygwin context,
it seems unhelpful, but does it make sense to have a "single-user"
configuration of Cygwin
with improved security?
Jon Warden
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -