| delorie.com/archives/browse.cgi | search |
| X-Spam-Check-By: | sourceware.org |
| Message-ID: | <cb51e2e0601262102l35e39bbag892c8ed34feabd97@mail.gmail.com> |
| Date: | Thu, 26 Jan 2006 21:02:45 -0800 |
| From: | Joshua Daniel Franklin <joshuadfranklin AT gmail DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: multi user environment security due shared memory |
| In-Reply-To: | <20051202130349.GR2999@calimero.vinschen.de> |
| MIME-Version: | 1.0 |
| References: | <4390418A DOT 4080000 AT adnovum DOT ch> <20051202130349 DOT GR2999 AT calimero DOT vinschen DOT de> |
| X-IsSubscribed: | yes |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Unsubscribe: | <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| X-MIME-Autoconverted: | from quoted-printable to 8bit by delorie.com id k0R536HE026789 |
On 12/2/05, Corinna Vinschen wrote: > On Dec 2 13:43, andrea wrote: > > What is the current status of the following security threats and how > > would you rate security when running sshd in a multi user environment. > > > > -Code execution in the context of an other user > > -Denial of service by overwriting the shared memory segments > > of cygwin > > -Data disclosure about processes of an other user by reading > > shared memory segments > > -Other security issues > > We're not aware of security implications, but we don't give any > guarantee either and there's no such thing as a security survey > for Cygwin. If that's not sufficient for your company, feel > free to contact Red Hat for a support contract which could cover > are more detailed analysis, http://www.redhat.com/software/cygwin/ > This is a little old, but I've updated http://cygwin.com/cygwin-ug-net/highlights.html#ov-hi-perm with the following (important bits from http://cygwin.com/faq/faq.api.html#faq.api.secure ): <blockquote> Under Windows NT, users with Administrator rights are permitted to chown files. With version 1.1.3 Cygwin introduced a mechanism for setting real and effective UIDs under Windows NT/W2K. This is described in the section called "NT security and usage of ntsec". As of version 1.5.13, the Cygwin developers are not aware of any feature in the Cygwin DLL that would allow users to gain privileges or to access objects to which they have no rights under Windows. However there is no guarantee that Cygwin is as secure as the Windows it runs on. Cygwin processes share some variables and are thus easier targets of denial of service type of attacks. </blockquote> -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |