Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs Date: Fri, 24 Jan 2003 11:36:11 -0500 (EST) From: Igor Pechtchanski Reply-To: cygwin AT cygwin DOT com To: jim DOT a DOT davidson AT bt DOT com cc: cygwin AT cygwin DOT com Subject: Re: cygwin1.dll In-Reply-To: Message-ID: Importance: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Fri, 24 Jan 2003 jim DOT a DOT davidson AT bt DOT com wrote: > Sirs, > We are proposing to use the Red Hat OpenSSH package on our NT/W2K servers > but some concerns > have been raised re. the Cygwin1.dll shared memory vulnerability. > As the only Cygwin application running on these machines will be OpenSSH I > am not sure how > significant a risk may exist. > Can you please explain how this vulnerabilty could be exploited so that we > can determine > what if any counter measures we could deploy. > Thanks. Jim, I'd like to correct one misconception in your message. You said that OpenSSH (I assume you mean sshd) will be "the only Cygwin application running on these machines". However, any time a user logs on, sshd will spawn a shell, and that will spawn whatever other applications the user runs. Some of them will most certainly be Cygwin applications. Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu ZZZzz /,`.-'`' -. ;-;;,_ igor AT watson DOT ibm DOT com |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! Oh, boy, virtual memory! Now I'm gonna make myself a really *big* RAMdisk! -- /usr/games/fortune -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/