X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:from:to:references:in-reply-to :subject:date:message-id:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=f2eGdtk4RbWVcW3M jK2M0eWkSCKJV0zfYt/y2efXcvsgswRShQQwmwNuZq+1x8Sgi2U5pNHQQt0kruyf +KoVqhXiceNdlA24ZBSGKiGIO9Szv9vOfi925K0QVNZUe/7g91IZRw5As0vUPMyN AKWDnHRcUui1uayh/CwDBanlf8Y= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:from:to:references:in-reply-to :subject:date:message-id:mime-version:content-type :content-transfer-encoding; s=default; bh=b2z23nToqWfo454G5UDjWu rT2zM=; b=IzxpYZlX0H/3mJVw15iBNOOIBmryEBnw6Aha2SWjOen6CGip8Ar+bL yATQX9S7+EWaFXaZPJCfCx0eXQl5ct5Zkh0RFpBF93gW+8R5M1x45J9GNT3AhmMP eDy0A9HKQ4IdTnfeuzdY2m26AZRUEiwxj9085jh4LM2VMyT/yzXzE= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=4.2 required=5.0 tests=AWL,BAYES_20,CYGWIN_OWNER_BODY,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,SPF_PASS autolearn=no version=3.3.2 spammy=bla, refering, Hx-languages-length:2440, H*UA:Outlook X-HELO: resqmta-ch2-08v.sys.comcast.net Reply-To: From: "David Willis" To: References: <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld DOT fsf AT Rainer DOT invalid> <87a8n38t3r DOT fsf AT Rainer DOT invalid> <20160215121101 DOT GC7085 AT calimero DOT vinschen DOT de> <003801d1693f$6a5d71a0$3f1854e0$@comcast.net> <20160217094335 DOT GA5722 AT calimero DOT vinschen DOT de> <20160218151257 DOT GA14838 AT calimero DOT vinschen DOT de> In-Reply-To: <20160218151257.GA14838@calimero.vinschen.de> Subject: RE: Possible Security Hole in SSHD w/ CYGWIN? Date: Sat, 20 Feb 2016 11:53:46 -0800 Message-ID: <004801d16c18$699f7d90$3cde78b0$@comcast.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Hey, sorry I haven't had a chance to check in on this the last couple days Thanks so much Corinna for implementing your idea in the new test release - I haven't had a chance to test it yet but it sounds like it works as expected. I really appreciate you taking the time to implement a fix for this. David -----Original Message----- From: cygwin-owner AT cygwin DOT com [mailto:cygwin-owner AT cygwin DOT com] On Behalf Of Corinna Vinschen Sent: Thursday, February 18, 2016 7:13 AM To: cygwin AT cygwin DOT com Subject: Re: Possible Security Hole in SSHD w/ CYGWIN? On Feb 17 10:43, Corinna Vinschen wrote: > On Feb 16 20:55, David Willis wrote: > > First let me say that I'm not too well-versed in coding and the ins > > and outs of how processes utilize credentials when they are spawned. > > However, the jist of it seems to be that if there are no credentials > > saved with passwd -R to replace the current user token with that of > > the user that is SSH'd in, then there is no way to change that token > > at all (or get rid of it) meaning the token used when accessing a > > share will stay as the token of the caller - namely cyg_server? > > Please correct me if I'm way off-base but that seems to be my interpretation of this. > > It's wrong, but it's not easy to grok how this all works under the hood. > First of all, refering to > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview, > only method 1 should be affected. > [bla, bla] > > If that is the case, it seems this is an unintended side effect of > > the way CYGWIN and sshd work together, and with the current state of > > Windows there isn't really a way around it. > > There might be a way around that. I have a vague idea what to do to > create a new logon session, even when creating the token from scratch > per method 1, which would not share the network credentials of the > caller. But it's just that yet, an idea. I implemented and tested the idea and it seems to work. Note that the underlying problem that we can't generate our own login session when using method 1 persists. However, the new code should avoid spilling cyg_server credentials into the user session. Please give the new Cygwin test release 2.5.0-0.4 (https://cygwin.com/ml/cygwin-announce/2016-02/msg00023.html) a try. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple