X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Message-ID: <493568B8.3010308@cygwin.com> Date: Tue, 02 Dec 2008 11:56:24 -0500 From: "Larry Hall (Cygwin)" Reply-To: cygwin AT cygwin DOT com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.18) Gecko/20081120 Remi/2.0.0.18-1.fc8.remi Lightning/0.9 Thunderbird/2.0.0.18 Mnenhy/0.7.5.0 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: Finally managed to create a jailed SFTP server, but how secure? References: <664060 DOT 6380 DOT qm AT web34704 DOT mail DOT mud DOT yahoo DOT com> <49341625 DOT 2090804 AT cygwin DOT com> <933558 DOT 98400 DOT qm AT web34705 DOT mail DOT mud DOT yahoo DOT com> <4934527E DOT 2070200 AT cygwin DOT com> <961872 DOT 64997 DOT qm AT web34701 DOT mail DOT mud DOT yahoo DOT com> In-Reply-To: <961872.64997.qm@web34701.mail.mud.yahoo.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com TheO wrote: > >> If you're happy with the results, that's fine. However, you asked how >> secure SFTP was. The answer is as I've said. Cygwin is not the O/S. >> It cannot enforce restrictions on the O/S. Only the O/S can restrict >> or grant access to users. >> > > Thanks Larry, > > The reason why Cygwin is ideal for me to provide SFTP service is that it > provides a free SFTP solution for Windows platform. My programmers come > from Windows world, they are more familiar with .NET than Unix but sometimes, > they are required to build a system featuring an SFTP server where our user > can upload his files to be processed by our .NET application and finally, > he download the response files from SFTP. Cygwin makes this possible in an > economic way. I understand. If SFTP under Cygwin fits your needs and you can live with the risks, then you should continue using it. I certainly don't understand your application or its requirements for communication but given your description above, it seems to me that 'scp' would serve your purpose and wouldn't rely on a limited 'chroot' capabilities. But I'm assuming you've already thought of that and have ruled it out for your own reasons. >> I have not attempted to set up a jailed SFTP environment on Cygwin. It >> may be that what you've done hems the user into the area you want when >> he/she is using Cygwin tools. However, this does not restrict the user >> with Windows native tools. If he/she is able to leverage those inside >> the jail, then the user has the keys he/she wants to get out. >> > > He might be able to upload "nasty" tools but What else could he possibly do > if he has access to only a restricted SFTP subsystem? Good question. A better one is are you willing to accept the risk? I also want to once again point out that "a restricted FTP subsystem" does not have all the same restrictions as it would in a UNIX/Linux environment. Only you can decide whether this difference is something you can live with. But in terms of security, Cygwin's SFTP is not as secure as UNIX/Linux versions with the full O/S support for 'chroot'. I'm not trying to talk you out of anything. I'm just answering your original question and providing you with the facts. It's up to you how you want to apply them to your situation. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 _____________________________________________________________________ A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting annoying in email? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/