X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:from:to:references:in-reply-to
	:subject:date:message-id:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=f2eGdtk4RbWVcW3M
	jK2M0eWkSCKJV0zfYt/y2efXcvsgswRShQQwmwNuZq+1x8Sgi2U5pNHQQt0kruyf
	+KoVqhXiceNdlA24ZBSGKiGIO9Szv9vOfi925K0QVNZUe/7g91IZRw5As0vUPMyN
	AKWDnHRcUui1uayh/CwDBanlf8Y=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:from:to:references:in-reply-to
	:subject:date:message-id:mime-version:content-type
	:content-transfer-encoding; s=default; bh=b2z23nToqWfo454G5UDjWu
	rT2zM=; b=IzxpYZlX0H/3mJVw15iBNOOIBmryEBnw6Aha2SWjOen6CGip8Ar+bL
	yATQX9S7+EWaFXaZPJCfCx0eXQl5ct5Zkh0RFpBF93gW+8R5M1x45J9GNT3AhmMP
	eDy0A9HKQ4IdTnfeuzdY2m26AZRUEiwxj9085jh4LM2VMyT/yzXzE=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=4.2 required=5.0 tests=AWL,BAYES_20,CYGWIN_OWNER_BODY,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,SPF_PASS autolearn=no version=3.3.2 spammy=bla, refering, Hx-languages-length:2440, H*UA:Outlook
X-HELO: resqmta-ch2-08v.sys.comcast.net
Reply-To: <cygwin AT cygwin DOT com>
From: "David Willis" <david_willis AT comcast DOT net>
To: <cygwin AT cygwin DOT com>
References: <CANnLRdhVrFcveO_jKb3_x=44WMJNO33DPnsJZ12Wus3U7Wo_fQ AT mail DOT gmail DOT com> <019e01d163c2$d678c7e0$836a57a0$@comcast.net> <023901d165e4$925507d0$b6ff1770$@comcast.net> <87d1s1c8ld DOT fsf AT Rainer DOT invalid> <CACoZoo3R4CDcgTMMex9QZ=Wh9a8CDvyUHpqj5+Br5xYFvGHvuQ AT mail DOT gmail DOT com> <87a8n38t3r DOT fsf AT Rainer DOT invalid> <CACoZoo3831x0PVOQ9j6zh+Q4EE4-LFNV7KQsgeyooPJmvM7qVA AT mail DOT gmail DOT com> <20160215121101 DOT GC7085 AT calimero DOT vinschen DOT de> <003801d1693f$6a5d71a0$3f1854e0$@comcast.net> <20160217094335 DOT GA5722 AT calimero DOT vinschen DOT de> <20160218151257 DOT GA14838 AT calimero DOT vinschen DOT de>
In-Reply-To: <20160218151257.GA14838@calimero.vinschen.de>
Subject: RE: Possible Security Hole in SSHD w/ CYGWIN?
Date: Sat, 20 Feb 2016 11:53:46 -0800
Message-ID: <004801d16c18$699f7d90$3cde78b0$@comcast.net>
MIME-Version: 1.0
Content-Type: text/plain;	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

Hey, sorry I haven't had a chance to check in on this the last couple days

Thanks so much Corinna for implementing your idea in the new test release -
I haven't had a chance to test it yet but it sounds like it works as
expected. I really appreciate you taking the time to implement a fix for
this.

David

-----Original Message-----
From: cygwin-owner AT cygwin DOT com [mailto:cygwin-owner AT cygwin DOT com] On Behalf Of
Corinna Vinschen
Sent: Thursday, February 18, 2016 7:13 AM
To: cygwin AT cygwin DOT com
Subject: Re: Possible Security Hole in SSHD w/ CYGWIN?

On Feb 17 10:43, Corinna Vinschen wrote:
> On Feb 16 20:55, David Willis wrote:
> > First let me say that I'm not too well-versed in coding and the ins 
> > and outs of how processes utilize credentials when they are spawned. 
> > However, the jist of it seems to be that if there are no credentials 
> > saved with passwd -R to replace the current user token with that of 
> > the user that is SSH'd in, then there is no way to change that token 
> > at all (or get rid of it) meaning the token used when accessing a 
> > share will stay as the token of the caller - namely cyg_server? 
> > Please correct me if I'm way off-base but that seems to be my
interpretation of this.
> 
> It's wrong, but it's not easy to grok how this all works under the hood.
> First of all, refering to
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview, 
> only method 1 should be affected.
> [bla, bla]
> > If that is the case, it seems this is an unintended side effect of 
> > the way CYGWIN and sshd work together, and with the current state of 
> > Windows there isn't really a way around it.
> 
> There might be a way around that.  I have a vague idea what to do to 
> create a new logon session, even when creating the token from scratch 
> per method 1, which would not share the network credentials of the 
> caller.  But it's just that yet, an idea.

I implemented and tested the idea and it seems to work.  Note that the
underlying problem that we can't generate our own login session when using
method 1 persists.  However, the new code should avoid spilling cyg_server
credentials into the user session.

Please give the new Cygwin test release 2.5.0-0.4
(https://cygwin.com/ml/cygwin-announce/2016-02/msg00023.html) a try.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple