Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <C5C45572D968D411A1B500D0B74FF4A80D70A3F0@xfc01.fc.hp.com>
From: "WARDEN,JON (HP-FtCollins,ex1)" <jon DOT warden AT hp DOT com>
To: "'cygwin AT cygwin DOT com'" <cygwin AT cygwin DOT com>
Subject: Single-user Cygwin for improved security under standalone use wit
	h OpenSSH
Date: Tue, 8 Jul 2003 18:39:40 -0400 
MIME-Version: 1.0
Content-Type: text/plain


We would like to use a Cgywin-based OpenSSH implementation
(http://lexa.mckenna.edu/sshwindows/)
for running tasks remotely on Windows (2000, XP) systems. The systems
involved would have this
OpenSSH distribution installed on them, but not a full Cygwin distribution.
The security issue
of non-administrators being able to open the named memory-mapped files used
by Cygwin (for example,
the pinfo class) is a concern, however.

We can live with the restriction of a single-user model, where tasks on the
target system can
only be run as a user in the Administrator group. In this situation it seems
to me that some
restrictions on the SECURITY_DESCRIPTORs used for CreateFileMapping() could
be made. To test 
this idea with a simple change, I changed early_init_stuff() in
exceptions.cc so set the
sec_all and sec_all_nih struct's lpSecurityDescriptor to NULL, just like the
sec_none struct 
is currently. 

Without this change I was able to OpenFileMapping() and MapViewOfFile() on
the pinfo memory-mapped
file as a non-administrator. With this change, I couldn't.

Now I am wondering, "Is restricting the SECURITY_DECRIPTORs for named
memory-mapped files a
reasonable way to close this vulnerability (given our willingness to settle
for single-user)?"

If it is, the next question is, "Is it good for anything else?" In a
multi-user Cygwin context, 
it seems unhelpful, but does it make sense to have a "single-user"
configuration of Cygwin
with improved security?

Jon Warden

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/