Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs Date: Fri, 24 Jan 2003 11:36:11 -0500 (EST) From: Igor Pechtchanski Reply-To: cygwin@cygwin.com To: jim.a.davidson@bt.com cc: cygwin@cygwin.com Subject: Re: cygwin1.dll In-Reply-To: Message-ID: Importance: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Fri, 24 Jan 2003 jim.a.davidson@bt.com wrote: > Sirs, > We are proposing to use the Red Hat OpenSSH package on our NT/W2K servers > but some concerns > have been raised re. the Cygwin1.dll shared memory vulnerability. > As the only Cygwin application running on these machines will be OpenSSH I > am not sure how > significant a risk may exist. > Can you please explain how this vulnerabilty could be exploited so that we > can determine > what if any counter measures we could deploy. > Thanks. Jim, I'd like to correct one misconception in your message. You said that OpenSSH (I assume you mean sshd) will be "the only Cygwin application running on these machines". However, any time a user logs on, sshd will spawn a shell, and that will spawn whatever other applications the user runs. Some of them will most certainly be Cygwin applications. Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ pechtcha@cs.nyu.edu ZZZzz /,`.-'`' -. ;-;;,_ igor@watson.ibm.com |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! Oh, boy, virtual memory! Now I'm gonna make myself a really *big* RAMdisk! -- /usr/games/fortune -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/