Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
From: =?iso-8859-1?Q?g=FCnter_strubinsky?= <strubinsky AT acm DOT org>
To: <cygwin AT cygwin DOT com>
Subject: FW: disable access to /cygdrive/c  ?
Date: Sat, 15 Mar 2003 19:41:05 -0600
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAIKeB5sEQVkOtS/Xf5ulv/MKAAAAQAAAAbEPk9avsqkyIym0bO+AjOwEAAAAA@acm.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id h2G1fDh09559

Oops! Wrong button! There are soooo many!

 
 günter strubinsky
 <strubinsky AT acm DOT org>
 Tel: 402.212.0196

> -----Original Message-----
> From: günter strubinsky [mailto:strubinsky AT acm DOT org]
> Sent: Saturday, March 15, 2003 6:51 PM
> To: 'roland'
> Subject: RE: disable access to /cygdrive/c ?
> 
> To go below root requires 'hacker intention' and since cygwin is a shell
> around your OS including file security, you can't get more security than
> the original file system allows.
> 
> Why would you want a fat32 filesystem in the first place? Your security is
> already infringed from the windows level; meaning: IF they want to hack
> your machine and couldn't under cygwin, they could under win.
> 
> An option I could think of is make a virtual driveletter in windows
> pointing to the directory of your choice. Share that 'drive' only. Access
> either via win2k or cygwin is only possible down to the bare driveletter
> (which is actually a directory somewhere on your drive).
> 
> If you assume malicious intent disconnect your computer. You don't want
> anybody in that case to access your /bin directory and replace system
> files.
> 
> I think the solution is not a cygwin issue but a windows issue.
> 
> Concluding: If you set a directory to a virtual drive letter and share
> this 'drive' it doesn't matter what OS wants to access the directory tree.
> They can't get below the drive letter even though the drive letter points
> to a directory of the nth level. Another approach is the DFS (distributed
> File System) in which you can even combine directories from different
> machines on different drives into one virtual directory tree; it's
> failsafe (AD sync's your servers) and incompatible to other os's which
> enhances security ;) . That means c:\cygwin could be changed to x:\ (the
> virtual drive pointing to c:\cygwin. There is no ' cd ..' below x:\ !)
> 
> According to what you wrote however, that
> someone should be able to 'do whatever he wants inside c:\cygwin' you
> should probably first make up your mind whether you trust this person or
> not. If you do, it's no issue, if you don't, there's always a way.
> Especially in fat32. I know of 'things' you can do also in ntfs that would
> get you run for an axe to lobotomize your network card off the box.
> 
>  günter strubinsky
>  <strubinsky AT acm DOT org>
>  Tel: 402.212.0196
> 
> > -----Original Message-----
> > From: cygwin-owner AT cygwin DOT com [mailto:cygwin-owner AT cygwin DOT com] On Behalf
> > Of roland
> > Sent: Saturday, March 15, 2003 12:51 PM
> > To: cygwin AT cygwin DOT com
> > Subject: disable access to /cygdrive/c ?
> >
> > Hello,
> >
> > is there a way to completly disable access tho paths below /cygdrive ?
> > i.e. to make /cygdrive/* invisible/inaccessible ?
> >
> > I have setup sshd on my machine and now some developer can ssh into my
> > machine
> > and help me with developing stuff under cygwin.
> > He can do what he wants inside c:\cygwin - but he shouldn`t be able to
> > access other
> > paths. Is it possible that i can hide that from him ?
> > Shure, I could set appropriate ntfs acls - but what if i have fat32
> based
> > filesystem?
> >
> > regards
> > Roland
> >
> > pS:
> > shure -this may not be bullet proof since he can execute code on my
> > computer - but at
> > least it is not too simple and needs "hacker intention".
> >
> >
> > --
> > Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> > Bug reporting:         http://cygwin.com/bugs.html
> > Documentation:         http://cygwin.com/docs.html
> > FAQ:                   http://cygwin.com/faq/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/