This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: The security of OpenSSH with cygwin.


On Tue, May 22, 2001 at 09:35:22AM +1000, Robert Collins wrote:
>Egor Duda has spent some time researching security aspects of cygwin
>(and patching as he goes). So he's a more authoritative source.
>
>I know of at least one showstopper: It's currently possible for any
>cygwin process to get a win32 handle with full access rights to any
>other cygwin process. See the archives of the developer list for more
>detail. (search on daemon - Egor has proposed a daemon to resolve the
>issue).

Right.  I cannot emphasize strongly enough that Cygwin is NOT A SECURE
ENVIRONMENT.  Do NOT trust it with sensitive data.  It is trivially
easy to hack.

cgf

>> -----Original Message-----
>> From: joetesta@hushmail.com [mailto:joetesta@hushmail.com]
>> Sent: Tuesday, May 22, 2001 1:10 PM
>> To: bugtraq@securityfocus.com; cygwin@cygwin.com
>> Subject: The security of OpenSSH with cygwin.
>> 
>> 
>> ----- Begin Hush Signed Message from joetesta@hushmail.com -----
>> 
>> Hi --
>> 
>>     I am about to undertake a project using OpenSSH with 
>> cygwin (http://www.cygwin.com/). 
>>  Before doing so, I would like to ask if there is anyone who 
>> has done any 
>> security research on this combination already.
>>     I have never seen any advisories on the BUGTRAQ mailing 
>> list, and this 
>> makes me a little uneasy (generally, I don't trust software 
>> that hasn't 
>> had at least one security fix in its history, unless I am its 
>> author =] 
>> ).  I have been trained enough to realize that complexity is 
>> security's 
>> enemy, and using the cygwin library to wrap the UNIX API with 
>> the Window's 
>> API definitely makes things more complex.
>>     So, I'd like to know how many people have *at least 
>> tried* to find holes 
>> in an OpenSSH-cygwin combo.  I think I would feel a little 
>> better if I know 
>> that an honest attempt was made.  Thanks in advance.
>> 
>> 
>>     - Joe Testa
>> 
>> e-mail:   joetesta@hushmail.com
>> web page: http://hogs.rit.edu/~joet
>> AIM:      LordSpankatron
>> 
>> 
>> ----- Begin Hush Signature v1.3 -----
>> Eb5nyu04VZj5/7cmeklvZ79BqUGto/ln3c8Cy4H5R2EsgxhXqTwbDxpszhCGF/+6BrJ/
>> oYY1nBWSKT97BDy017HHfWt0JBhZy4wfP9VbqmRzFx2QAJr6dVS9VRf9/5DWVM4+7SSX
>> 6vZvBPiygdYujzlDmEIrziP9PGXL8+/fRj98pgGE53uKc9yIcDKmef1Uf1q7z5pPy8O7
>> PE+IRCtF7jUtr4PTOV935d9499lXvM547MDvvx4394WDskG8prKyYaE9uZKc1wzCA0ob
>> z7Gvhz4i9jAZIXXJ+m8Z4EU3n9gLpy/gz25grXO7ktH54ZEDdmQ25j3za+bIFCZ3u93w
>> VbbYxKO6rQOjvPWTatcPHGC6TwBh+JxIEoVlLMVyIbjncamNL4Xd3odpcyd4Ukn6bItU
>> sUnVLMIV6AaB693fKmrw30nywV6fKtrQbmr6appLvByCzXbS7X2DMrvLeL+dbODTTDSo
>> eajwTcTPS5LdU8ZeDVs9rLnTC4HFRVFTaUwk1w34DWHN
>> ----- End Hush Signature v1.3 -----
>> 
>> 
>> This message has been signed with a Hush Digital Signature. 
>> To verify the signature, please go to www.hush.com/tools
>> 
>> 
>> Free, encrypted, secure Web-based email at www.hushmail.com
>> 
>
>--
>Want to unsubscribe from this list?
>Check out: http://cygwin.com/ml/#unsubscribe-simple

-- 
cgf@cygnus.com                        Red Hat, Inc.
http://sources.redhat.com/            http://www.redhat.com/

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]