Mail Archives: cygwin/2016/02/18/12:10:59

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2016/02/18/12:10:59

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:date

:message-id:subject:from:to:content-type; q=dns; s=default; b=l8

3VILkONcrlZkW1kq49AkF8k+ZWMTsupvrXlPurKMV5sjVj+mzyyLM9nlPlvmM7So

kyKRhIZFWpo8EG2PoTnKXs+rzDsGx1PeuS6Cr5kM5n+eZFjvmqQqkug01u+Bpy4S

uQvnZ2kGSYIQjNFAcwLrc5nvoLia9GAz02Yig16Io=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:date

:message-id:subject:from:to:content-type; s=default; bh=zn4lgZCF

2ofJkYkza2AaQlusawE=; b=HQ8IymPV9p+KfkvQ2K2XTFWna17f5nU/972ssYNz

RkULZTBC0e+EbtZdbOblShkgDtmWxOPfyHhCwZu6/jOHYpYo6SKV7VgrksoiOssr

C2bkvv80D7afkSbr9PKQlRnasEh9CBziZ4Qd3Ix5jHoMRwbzwBy1TBEQPNJ5tZ/H

kbo=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:735, spilling, msg00023.html, persists

X-HELO: mail-lb0-f174.google.com

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=OjlvKIbKYC5Uuaat+Qb0Ke0Bs1xZIUWbRsebwHaKkC4=; b=B0Zr9Mv3zWjMr3TT3a1IkbzP8bGfv5Ot45XDIqpK3EniiUU6kNaf8UYNHswTYzDxuE jyeJZw5f6grUYdJ7P8XiTGFVbLpOmSsykRBuaZlZkxPZf01KQ46noJFxk5WkOq/V4CeQ ag+3zsb1wWdJ3TkDBd+TiCirNSiME9U88FI6iHw8rdpxkJN6IZjaKKf7G84/Uo+v+cjZ zTZebtrjDXictlpT2O13ruSgBkEPe66Evk5rrKQww21PmQpajLiRciUl2ODszHcL9T0e TEQg/qb9DAQJbg39jaBfCkUUIcW88POtuaDCq3y+xPMbRD189Ets6uvDRJcE9q+0F+Do Ic1w==

X-Gm-Message-State: AG10YOQP4ViRWSMHVEaM+iWYcyn2+TbndRTXsnM8d/xQ63AD7hK7oGURi7CYV0H+bS99t5/5oLDm5WPu1vfsdg==

MIME-Version: 1.0

X-Received: by 10.112.151.134 with SMTP id uq6mr3117268lbb.18.1455815436959; Thu, 18 Feb 2016 09:10:36 -0800 (PST)

In-Reply-To: <20160218151257.GA14838@calimero.vinschen.de>

References: <CANnLRdhVrFcveO_jKb3_x=44WMJNO33DPnsJZ12Wus3U7Wo_fQ AT mail DOT gmail DOT com> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld DOT fsf AT Rainer DOT invalid> <CACoZoo3R4CDcgTMMex9QZ=Wh9a8CDvyUHpqj5+Br5xYFvGHvuQ AT mail DOT gmail DOT com> <87a8n38t3r DOT fsf AT Rainer DOT invalid> <CACoZoo3831x0PVOQ9j6zh+Q4EE4-LFNV7KQsgeyooPJmvM7qVA AT mail DOT gmail DOT com> <20160215121101 DOT GC7085 AT calimero DOT vinschen DOT de> <003801d1693f$6a5d71a0$3f1854e0$@comcast.net> <20160217094335 DOT GA5722 AT calimero DOT vinschen DOT de> <20160218151257 DOT GA14838 AT calimero DOT vinschen DOT de>

Date: Thu, 18 Feb 2016 12:10:36 -0500

Message-ID: <CACoZoo2RCR8Eo6sGdD+5BEErEQ7xg0t9bij1_c9YdegV-GD_pQ@mail.gmail.com>

Subject: Re: Possible Security Hole in SSHD w/ CYGWIN?

From: Erik Soderquist <ErikSoderquist AT gmail DOT com>

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

On Thu, Feb 18, 2016 at 10:12 AM, Corinna Vinschen wrote:
<snip>>
> I implemented and tested the idea and it seems to work.  Note that the
> underlying problem that we can't generate our own login session when using
> method 1 persists.  However, the new code should avoid spilling cyg_server
> credentials into the user session.
>
> Please give the new Cygwin test release 2.5.0-0.4
> (https://cygwin.com/ml/cygwin-announce/2016-02/msg00023.html) a try.

I've installed the test release and am no longer able to reproduce the
issue; I get the expected "access denied" on all network shares as I
should on this test account.  (pub key auth, no password stored with
"passwd -R")

:)

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; q=dns; s=default; b=l8
	3VILkONcrlZkW1kq49AkF8k+ZWMTsupvrXlPurKMV5sjVj+mzyyLM9nlPlvmM7So
	kyKRhIZFWpo8EG2PoTnKXs+rzDsGx1PeuS6Cr5kM5n+eZFjvmqQqkug01u+Bpy4S
	uQvnZ2kGSYIQjNFAcwLrc5nvoLia9GAz02Yig16Io=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; s=default; bh=zn4lgZCF
	2ofJkYkza2AaQlusawE=; b=HQ8IymPV9p+KfkvQ2K2XTFWna17f5nU/972ssYNz
	RkULZTBC0e+EbtZdbOblShkgDtmWxOPfyHhCwZu6/jOHYpYo6SKV7VgrksoiOssr
	C2bkvv80D7afkSbr9PKQlRnasEh9CBziZ4Qd3Ix5jHoMRwbzwBy1TBEQPNJ5tZ/H
	kbo=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-0.9 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:735, spilling, msg00023.html, persists
X-HELO:	mail-lb0-f174.google.com
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=OjlvKIbKYC5Uuaat+Qb0Ke0Bs1xZIUWbRsebwHaKkC4=; b=B0Zr9Mv3zWjMr3TT3a1IkbzP8bGfv5Ot45XDIqpK3EniiUU6kNaf8UYNHswTYzDxuE jyeJZw5f6grUYdJ7P8XiTGFVbLpOmSsykRBuaZlZkxPZf01KQ46noJFxk5WkOq/V4CeQ ag+3zsb1wWdJ3TkDBd+TiCirNSiME9U88FI6iHw8rdpxkJN6IZjaKKf7G84/Uo+v+cjZ zTZebtrjDXictlpT2O13ruSgBkEPe66Evk5rrKQww21PmQpajLiRciUl2ODszHcL9T0e TEQg/qb9DAQJbg39jaBfCkUUIcW88POtuaDCq3y+xPMbRD189Ets6uvDRJcE9q+0F+Do Ic1w==
X-Gm-Message-State:	AG10YOQP4ViRWSMHVEaM+iWYcyn2+TbndRTXsnM8d/xQ63AD7hK7oGURi7CYV0H+bS99t5/5oLDm5WPu1vfsdg==
MIME-Version:	1.0
X-Received:	by 10.112.151.134 with SMTP id uq6mr3117268lbb.18.1455815436959; Thu, 18 Feb 2016 09:10:36 -0800 (PST)
In-Reply-To:	<20160218151257.GA14838@calimero.vinschen.de>
References:	<CANnLRdhVrFcveO_jKb3_x=44WMJNO33DPnsJZ12Wus3U7Wo_fQ AT mail DOT gmail DOT com> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld DOT fsf AT Rainer DOT invalid> <CACoZoo3R4CDcgTMMex9QZ=Wh9a8CDvyUHpqj5+Br5xYFvGHvuQ AT mail DOT gmail DOT com> <87a8n38t3r DOT fsf AT Rainer DOT invalid> <CACoZoo3831x0PVOQ9j6zh+Q4EE4-LFNV7KQsgeyooPJmvM7qVA AT mail DOT gmail DOT com> <20160215121101 DOT GC7085 AT calimero DOT vinschen DOT de> <003801d1693f$6a5d71a0$3f1854e0$@comcast.net> <20160217094335 DOT GA5722 AT calimero DOT vinschen DOT de> <20160218151257 DOT GA14838 AT calimero DOT vinschen DOT de>
Date:	Thu, 18 Feb 2016 12:10:36 -0500
Message-ID:	<CACoZoo2RCR8Eo6sGdD+5BEErEQ7xg0t9bij1_c9YdegV-GD_pQ@mail.gmail.com>
Subject:	Re: Possible Security Hole in SSHD w/ CYGWIN?
From:	Erik Soderquist <ErikSoderquist AT gmail DOT com>
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes