Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sourceware DOT cygnus DOT com>
List-Archive: <http://sourceware.cygnus.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sourceware DOT cygnus DOT com>
List-Help: <mailto:cygwin-help AT sourceware DOT cygnus DOT com>, <http://sourceware.cygnus.com/ml/#faqs>
Sender: cygwin-owner AT sourceware DOT cygnus DOT com
Delivered-To: mailing list cygwin AT sourceware DOT cygnus DOT com
Date: Sun, 16 Jan 2000 12:50:14 -0500
From: Chris Faylor <cgf AT cygnus DOT com>
To: john AT thinman DOT com
Cc: cygwin AT sourceware DOT cygnus DOT com
Subject: Re: Security Documentation, SSH
Message-ID: <20000116125014.C23141@cygnus.com>
Reply-To: cygwin AT sourceware DOT cygnus DOT com
Mail-Followup-To: john AT thinman DOT com, cygwin AT sourceware DOT cygnus DOT com
References: <20000116151753 DOT 16092 DOT qmail AT web805 DOT mail DOT yahoo DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <20000116151753.16092.qmail@web805.mail.yahoo.com>; from john_van_v@yahoo.com on Sun, Jan 16, 2000 at 07:17:53AM -0800

On Sun, Jan 16, 2000 at 07:17:53AM -0800, John van V. wrote:
>> This is not going to happen.  We understand the security vunerabilities
>> of Cygwin very well.  The security model is basically security through
>> obscurity which, I'm sure you are aware, is no security at all.
>
>But from what I read, it is an issue of using an NT box as a multiuser
>system.  Now my post suggesting using the regular UNIX login system for
>SSH and limiting the box to a single user makes even more sense.
>Telent could also be ported in this way.
>
>>Although, now that I think of it, if you're running any CGI scripts on
>>this theoretical web site then you are at risk since Cygwin's security
>>model is wide open to a craftily written perl script.
>
>Perl is equipped to solve these problems, if you know the language.
>You simply encapsulate the input to prevent it from being evaluated.
>The input struture, for instance, keeps scalars as elements of an
>array.  Side effect or clever feature, I'm not sure...

If you know exactly what you are doing, and if you can severely limit
access, you may be able to make any system secure.  This does not mean
that the underlying software (i.e., cygwin) is secure.

If I told you that you could drive my car but you needed keep it below
40 MPH or it might explode, would you want to drive it?  Would you
consider it a safe machine since you understood the parameters for
keeping it intact?

We're not going to advertise something as "secure if you know what
you're doing".  That would be ludicrous.  What are the parameters for
"knowing what you're doing"?

>>We would certainly consider changing this if a customer wanted to pay
>>for this work.  It would be a very interesting project.
>
>I, for one, am getting a little tired of hearing this from your
>organization.  I am founding a perl group which will not only preach to
>educators the cost effectiveness of our swiss-army-chain-saw, but teach
>business types as well, for free.
>
>An this w/o the support of our employers.  You guys, on the other hand
>are rolling in dough, spending millions on NY apartments, etc, etc...

I have no idea what you're referring to.  I don't live in New York.  I
live in a house with a mortgage.  AFAIK, we've only got one NY employee
and he has contributed more time to free software than anyone else I
know.

I have to wonder if you are devoting your time so freely, why not devote
a little of it to the Cygwin free software project?  If you want
something done, then dive right in and do it.  I'll set up a mailing
list for you if you want to do this.  I'll set aside space on our web
and ftp servers.  I, personally, however, don't feel like taking on the
this project as an after business hours venture right now.  I will
applaud you or anyone else who wants to consider doing it.

The bottom line is that neither I, nor Red Hat, is obligated to embark on
a project simply because you think it is a nifty idea.

>Linux and the whole public s/w venue is a gift, but only if the given
>to keep on giving.

If you are going to imply something, why not come right out and say it?
I have no idea what you're talking about.

Are you implying that Red Hat has not given enough to the free software
community?  Are you saying Cygnus has not given enough?

Are you implying that if you see a need in a free software project then
the developers should immediately jump on it and give you what you need?

Or is this just a lofty statement meant to inspire us towards greater
effort towards working on Linux?  Hmm.  How did Linux suddenly enter
this equation?

>Consider this in the light that it is meant.

You have used phrases like "getting a little tired of hearing this",
made unsubstantiated assertions of million dollar apartments, and
discounted the years of contributions to the free software community
that Cygnus and Red Hat have made.

So, I am considering this in *exactly* the light in which it was meant.

-Christopher Faylor
-Cygwin Engineering Manager
-Red Hat

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com