Mail Archives: cygwin/2005/12/02/07:44:09

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2005/12/02/07:44:09

X-Spam-Check-By: sourceware.org

Message-ID: <4390418A.4080000@adnovum.ch>

Date: Fri, 02 Dec 2005 13:43:54 +0100

From: andrea <cygwin-temp AT adnovum DOT ch>

User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716)

MIME-Version: 1.0

To: cygwin AT cygwin DOT com

Subject: multi user environment security due shared memory

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Hi all,

Our company is looking at some security properties of cygwin. We want to 
run a daemon like sshd in a multi user environment with cygrunsrv.

There was an entry [0] in your FAQ from 2000/09/13 that cygwin is not 
secure in a multi user environment. This entry was replaced this year 
[1], that as of 1.5.13 you are not aware of any feature to gain more 
privileges than you have under Windows. For my understanding is this 
newest FAQ entry in contrast to what you write in your user guide [2] 
about the use of shared memory in your 'kernel'. There you write
"...it does constitute a security hole...".


I was not able to find any recent discussion about this topic on this 
list (there was one in 2002 [3]). Is there some documentation describing 
the shared memory segments accessible by all cygwin users?

What is the current status of the following security threats and how 
would you rate security when running sshd in a multi user environment.

  -Code execution in the context of an other user
  -Denial of service by overwriting the shared memory segments
   of cygwin
  -Data disclosure about processes of an other user by reading
   shared memory segments
  -Other security issues

Thanks for your help
andrea

[0] cvs rev 1.1 of winsup/doc/how-api.texinfo
[1] http://cygwin.com/faq/faq.api.html#faq.api.secure
[2] http://cygwin.com/cygwin-ug-net/highlights.html#ov-hi-perm
[3] http://www.cygwin.com/ml/cygwin/2002-12/msg01457.html

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Spam-Check-By:	sourceware.org
Message-ID:	<4390418A.4080000@adnovum.ch>
Date:	Fri, 02 Dec 2005 13:43:54 +0100
From:	andrea <cygwin-temp AT adnovum DOT ch>
User-Agent:	Mozilla Thunderbird 1.0.6 (X11/20050716)
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	multi user environment security due shared memory
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com