This is the mail archive of the
cygwin-developers@cygwin.com
mailing list for the Cygwin project.
How secure is Cygwin in a multi-user environment?
- From: "Pierre A. Humblet" <Pierre dot Humblet at ieee dot org>
- To: cygwin-developers at cygwin dot com
- Cc: Joshua Daniel Franklin <joshuadfranklin at gmail dot comX>
- Date: Tue, 01 Mar 2005 21:33:21 -0500
- Subject: How secure is Cygwin in a multi-user environment?
The Cygwin FAQ contains the following entry:
*********
How secure is Cygwin in a multi-user environment?
Cygwin is not secure in a multi-user environment. For example if you have a
long running daemon such as "inetd" running as admin while ordinary users
are logged in, or if you have a user logged in remotely while another user
is logged into the console, one cygwin client can trick another into running
code for it. In this way one user may gain the privilege of another cygwin
program running on the machine. This is because cygwin has shared state that
is accessible by all processes
*********
This isn't up to date any more, the hole described above is now fixed.
So the entry should be updated. I suggest replacing it with the following:
How secure is Cygwin in a multi-user environment?
As of version 1.5.13, the Cygwin developers are not aware of any feature
in the cygwin dll that would allow users to gain privileges or to access
objects
to which they have no rights under Windows.
Cygwin processes share some variables and are thus easier targets of
denial of service type of attacks.
Not sure what to say, if anything, about cygserver.
Pierre