Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Date: Sat, 8 Dec 2001 12:23:34 +0100 From: Corinna Vinschen To: "'cygwin AT cygwin DOT com'" Subject: Re: bash/rlogin can get user id different from NT login. Message-ID: <20011208122334.X740@cygbert.vinschen.de> Mail-Followup-To: "'cygwin AT cygwin DOT com'" References: <04CAD2CF7C2CD51199C7009027AD078B8D0283 AT ev003msxaege DOT ae DOT ge DOT com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <04CAD2CF7C2CD51199C7009027AD078B8D0283@ev003msxaege.ae.ge.com>; from bob.fletcher@ae.ge.com on Fri, Dec 07, 2001 at 05:20:58PM -0500 On Fri, Dec 07, 2001 at 05:20:58PM -0500, Fletcher, Bob (GEAE, EB&TS) wrote: > Hello, > Consider the following passwd under cygwin: (1.3.) > > user1:This_field_is_not_used_by_cygwin_on_nt/2000/xp:1001:513:User > One:/home/user1:/bin/bash > user2:This_field_is_not_used_by_cygwin_on_nt/2000/xp:1001:513:User > Two:/home/user2:/bin/bash > > Note that user1 and user2 two have the same UID. (!) > If I log in to W2000 as user2, and start bash, it thinks that I am user1. > If user1 was silly enough to > > myhosthame user1 > or god forbid > + user1 > > in a Unix .rhosts file, I will have access to that account. That's a problem of rhosts authentication. It's a wide open security leak. Better use ssh with password or pubkey authentication. > > I suppose that the simple answer is "don't do that!". You have to keep ^^^^^^^^^^^^^^ Yep. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/