Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <41385446.8040703@corpit.ru>
Date: Fri, 03 Sep 2004 15:23:50 +0400
From: egor duda <deo AT corpit DOT ru>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5
MIME-Version: 1.0
To: Colin JN Breame <colin AT breame DOT com>
Cc: cygwin AT cygwin DOT com
Subject: Re: Locking down cygwin for security
References: <41385172 DOT 4040209 AT breame DOT com>
In-Reply-To: <41385172.4040209@breame.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

Colin JN Breame wrote:

> Is it possible to disabled certain features to make cygwin secure over 
> ssh such that the logged in user cannot:
> 
> - cd into any /cygdrive drives
> - mount any local or UNC drives
> 
> but still:
> 
> - access a system wide mount to a local drive

You will gain little additional security by doing this. As long as you 
can't prevent user from calling normal win32 applications (such as as 
cmd.exe) and win32 APIs (like CreateFile ()) he will be able to accesss 
any drives on your system you're supposing to prevent him from.
Your only gain will be false sense of security.
The way to achieve real security is to set proper access rights for all 
files on all filesystems on your host and all other hosts this user can 
log into.

egor

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/