Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Tue, 10 Jul 2001 17:22:16 +0200
From: Corinna Vinschen <cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: inetd security issues
Message-ID: <20010710172216.S8578@cygbert.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <5 DOT 0 DOT 2 DOT 1 DOT 0 DOT 20010710214050 DOT 00ad6308 AT mail DOT sprintsoft DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <5.0.2.1.0.20010710214050.00ad6308@mail.sprintsoft.com>; from carl@msti.com.au on Tue, Jul 10, 2001 at 09:40:53PM +1000

On Tue, Jul 10, 2001 at 09:40:53PM +1000, Carl Masens wrote:
> In wanting to run the inetd ftp server on my cygwin/win2k box I have had 
> the following exchange with my admin:
> 
>        me:
> What have I got installed (I hear you thinking)? I have installed Cygwin 
> (http://www.cygwin.com) and run the inetd application, having removed all 
> entries but specific user accounts from /etc/passwd except the SYSTEM and 
> ADMINISTRATORS.
> 
> admin:
> Seeing as you're using inetd, I presume it leaves ports open for access? 
> Which ports are open? This is more relevant that enabling or disabling user 
> accounts, as most attacks involve vulnerabilities in software listening on 
> a particular port. How open to buffer overruns is Cygwin? What I'm getting 
> at is will a buffer overrun just crash the program/API/OS or will it allow 
> code to be executed locally as SYSTEM or ADMINISTRATOR?
> 
> so, can anyone answer these questions from my admin?

Using Cygwin is not secure at all. If you or your admin has
honest security concerns don't open up the system by providing
services via inetd

A better way to access your system is an sshd which runs under
a non-privileged user account using public key authentication.
Even if somebody finds a hole in OpenSSH, using the non-privileged
account prevents that a hacker gets admin access on that machine.
The system is then as secure as you are handling your private key
file.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/