This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: Possible Security Hole in SSHD w/ CYGWIN?


Hey, sorry I haven't had a chance to check in on this the last couple days

Thanks so much Corinna for implementing your idea in the new test release -
I haven't had a chance to test it yet but it sounds like it works as
expected. I really appreciate you taking the time to implement a fix for
this.

David

-----Original Message-----
From: cygwin-owner@cygwin.com [mailto:cygwin-owner@cygwin.com] On Behalf Of
Corinna Vinschen
Sent: Thursday, February 18, 2016 7:13 AM
To: cygwin@cygwin.com
Subject: Re: Possible Security Hole in SSHD w/ CYGWIN?

On Feb 17 10:43, Corinna Vinschen wrote:
> On Feb 16 20:55, David Willis wrote:
> > First let me say that I'm not too well-versed in coding and the ins 
> > and outs of how processes utilize credentials when they are spawned. 
> > However, the jist of it seems to be that if there are no credentials 
> > saved with passwd -R to replace the current user token with that of 
> > the user that is SSH'd in, then there is no way to change that token 
> > at all (or get rid of it) meaning the token used when accessing a 
> > share will stay as the token of the caller - namely cyg_server? 
> > Please correct me if I'm way off-base but that seems to be my
interpretation of this.
> 
> It's wrong, but it's not easy to grok how this all works under the hood.
> First of all, refering to
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview, 
> only method 1 should be affected.
> [bla, bla]
> > If that is the case, it seems this is an unintended side effect of 
> > the way CYGWIN and sshd work together, and with the current state of 
> > Windows there isn't really a way around it.
> 
> There might be a way around that.  I have a vague idea what to do to 
> create a new logon session, even when creating the token from scratch 
> per method 1, which would not share the network credentials of the 
> caller.  But it's just that yet, an idea.

I implemented and tested the idea and it seems to work.  Note that the
underlying problem that we can't generate our own login session when using
method 1 persists.  However, the new code should avoid spilling cyg_server
credentials into the user session.

Please give the new Cygwin test release 2.5.0-0.4
(https://cygwin.com/ml/cygwin-announce/2016-02/msg00023.html) a try.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]