Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
X-Lotus-FromDomain: JPMORGAN AT SMTP
From: "Noel L Yap" <yap_noel AT jpmorgan DOT com>
To: cygwin AT cygwin DOT com
cc: cygwin AT cygwin DOT com, joetesta AT hushmail DOT com
Message-ID: <85256A54.00486700.00@nyc-ntgw-n01.ny.jpmorgan.com>
Date: Tue, 22 May 2001 09:10:43 -0400
Subject: Re: The security of OpenSSH with cygwin.
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline

Will just using the SSH client open you up to attacks?

Thanks,
Noel





On Tue, May 22, 2001 at 09:35:22AM +1000, Robert Collins wrote:
>Egor Duda has spent some time researching security aspects of cygwin
>(and patching as he goes). So he's a more authoritative source.
>
>I know of at least one showstopper: It's currently possible for any
>cygwin process to get a win32 handle with full access rights to any
>other cygwin process. See the archives of the developer list for more
>detail. (search on daemon - Egor has proposed a daemon to resolve the
>issue).

Right.  I cannot emphasize strongly enough that Cygwin is NOT A SECURE
ENVIRONMENT.  Do NOT trust it with sensitive data.  It is trivially
easy to hack.

cgf

>> -----Original Message-----
>> From: joetesta AT hushmail DOT com [mailto:joetesta AT hushmail DOT com]
>> Sent: Tuesday, May 22, 2001 1:10 PM
>> To: bugtraq AT securityfocus DOT com; cygwin AT cygwin DOT com
>> Subject: The security of OpenSSH with cygwin.
>>
>>
>> ----- Begin Hush Signed Message from joetesta AT hushmail DOT com -----
>>
>> Hi --
>>
>>     I am about to undertake a project using OpenSSH with
>> cygwin (http://www.cygwin.com/).
>>  Before doing so, I would like to ask if there is anyone who
>> has done any
>> security research on this combination already.
>>     I have never seen any advisories on the BUGTRAQ mailing
>> list, and this
>> makes me a little uneasy (generally, I don't trust software
>> that hasn't
>> had at least one security fix in its history, unless I am its
>> author =]
>> ).  I have been trained enough to realize that complexity is
>> security's
>> enemy, and using the cygwin library to wrap the UNIX API with
>> the Window's
>> API definitely makes things more complex.
>>     So, I'd like to know how many people have *at least
>> tried* to find holes
>> in an OpenSSH-cygwin combo.  I think I would feel a little
>> better if I know
>> that an honest attempt was made.  Thanks in advance.
>>
>>
>>     - Joe Testa
>>
>> e-mail:   joetesta AT hushmail DOT com
>> web page: http://hogs.rit.edu/~joet
>> AIM:      LordSpankatron
>>
>>
>> ----- Begin Hush Signature v1.3 -----
>> Eb5nyu04VZj5/7cmeklvZ79BqUGto/ln3c8Cy4H5R2EsgxhXqTwbDxpszhCGF/+6BrJ/
>> oYY1nBWSKT97BDy017HHfWt0JBhZy4wfP9VbqmRzFx2QAJr6dVS9VRf9/5DWVM4+7SSX
>> 6vZvBPiygdYujzlDmEIrziP9PGXL8+/fRj98pgGE53uKc9yIcDKmef1Uf1q7z5pPy8O7
>> PE+IRCtF7jUtr4PTOV935d9499lXvM547MDvvx4394WDskG8prKyYaE9uZKc1wzCA0ob
>> z7Gvhz4i9jAZIXXJ+m8Z4EU3n9gLpy/gz25grXO7ktH54ZEDdmQ25j3za+bIFCZ3u93w
>> VbbYxKO6rQOjvPWTatcPHGC6TwBh+JxIEoVlLMVyIbjncamNL4Xd3odpcyd4Ukn6bItU
>> sUnVLMIV6AaB693fKmrw30nywV6fKtrQbmr6appLvByCzXbS7X2DMrvLeL+dbODTTDSo
>> eajwTcTPS5LdU8ZeDVs9rLnTC4HFRVFTaUwk1w34DWHN
>> ----- End Hush Signature v1.3 -----
>>
>>
>> This message has been signed with a Hush Digital Signature.
>> To verify the signature, please go to www.hush.com/tools
>>
>>
>> Free, encrypted, secure Web-based email at www.hushmail.com
>>
>
>--
>Want to unsubscribe from this list?
>Check out: http://cygwin.com/ml/#unsubscribe-simple

--
cgf AT cygnus DOT com                        Red Hat, Inc.
http://sources.redhat.com/            http://www.redhat.com/

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple





This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan Chase & Co., its
subsidiaries and affiliates.


--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple