X-Spam-Check-By: sourceware.org
Date: Fri, 2 Dec 2005 14:03:49 +0100
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: multi user environment security due shared memory
Message-ID: <20051202130349.GR2999@calimero.vinschen.de>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
References: <4390418A.4080000@adnovum.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4390418A.4080000@adnovum.ch>
User-Agent: Mutt/1.4.2i
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie.com@cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com

On Dec  2 13:43, andrea wrote:
> Hi all,
> 
> Our company is looking at some security properties of cygwin. We want to 
> run a daemon like sshd in a multi user environment with cygrunsrv.
> 
> There was an entry [0] in your FAQ from 2000/09/13 that cygwin is not 
> secure in a multi user environment. This entry was replaced this year 
> [1], that as of 1.5.13 you are not aware of any feature to gain more 
> privileges than you have under Windows. For my understanding is this 
> newest FAQ entry in contrast to what you write in your user guide [2] 
> about the use of shared memory in your 'kernel'. There you write
> "...it does constitute a security hole...".
> 
> 
> I was not able to find any recent discussion about this topic on this 
> list (there was one in 2002 [3]). Is there some documentation describing 
> the shared memory segments accessible by all cygwin users?
> 
> What is the current status of the following security threats and how 
> would you rate security when running sshd in a multi user environment.
> 
>  -Code execution in the context of an other user
>  -Denial of service by overwriting the shared memory segments
>   of cygwin
>  -Data disclosure about processes of an other user by reading
>   shared memory segments
>  -Other security issues

We're not aware of security implications, but we don't give any
guarantee either and there's no such thing as a security survey
for Cygwin.  If that's not sufficient for your company, feel
free to contact Red Hat for a support contract which could cover
are more detailed analysis, http://www.redhat.com/software/cygwin/


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/