This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
RE: The security of OpenSSH with cygwin.
- To: <joetesta at hushmail dot com>,<cygwin at cygwin dot com>
- Subject: RE: The security of OpenSSH with cygwin.
- From: "Robert Collins" <robert dot collins at itdomain dot com dot au>
- Date: Tue, 22 May 2001 09:35:22 +1000
Egor Duda has spent some time researching security aspects of cygwin
(and patching as he goes). So he's a more authoritative source.
I know of at least one showstopper: It's currently possible for any
cygwin process to get a win32 handle with full access rights to any
other cygwin process. See the archives of the developer list for more
detail. (search on daemon - Egor has proposed a daemon to resolve the
issue).
Rob
> -----Original Message-----
> From: joetesta@hushmail.com [mailto:joetesta@hushmail.com]
> Sent: Tuesday, May 22, 2001 1:10 PM
> To: bugtraq@securityfocus.com; cygwin@cygwin.com
> Subject: The security of OpenSSH with cygwin.
>
>
> ----- Begin Hush Signed Message from joetesta@hushmail.com -----
>
> Hi --
>
> I am about to undertake a project using OpenSSH with
> cygwin (http://www.cygwin.com/).
> Before doing so, I would like to ask if there is anyone who
> has done any
> security research on this combination already.
> I have never seen any advisories on the BUGTRAQ mailing
> list, and this
> makes me a little uneasy (generally, I don't trust software
> that hasn't
> had at least one security fix in its history, unless I am its
> author =]
> ). I have been trained enough to realize that complexity is
> security's
> enemy, and using the cygwin library to wrap the UNIX API with
> the Window's
> API definitely makes things more complex.
> So, I'd like to know how many people have *at least
> tried* to find holes
> in an OpenSSH-cygwin combo. I think I would feel a little
> better if I know
> that an honest attempt was made. Thanks in advance.
>
>
> - Joe Testa
>
> e-mail: joetesta@hushmail.com
> web page: http://hogs.rit.edu/~joet
> AIM: LordSpankatron
>
>
> ----- Begin Hush Signature v1.3 -----
> Eb5nyu04VZj5/7cmeklvZ79BqUGto/ln3c8Cy4H5R2EsgxhXqTwbDxpszhCGF/+6BrJ/
> oYY1nBWSKT97BDy017HHfWt0JBhZy4wfP9VbqmRzFx2QAJr6dVS9VRf9/5DWVM4+7SSX
> 6vZvBPiygdYujzlDmEIrziP9PGXL8+/fRj98pgGE53uKc9yIcDKmef1Uf1q7z5pPy8O7
> PE+IRCtF7jUtr4PTOV935d9499lXvM547MDvvx4394WDskG8prKyYaE9uZKc1wzCA0ob
> z7Gvhz4i9jAZIXXJ+m8Z4EU3n9gLpy/gz25grXO7ktH54ZEDdmQ25j3za+bIFCZ3u93w
> VbbYxKO6rQOjvPWTatcPHGC6TwBh+JxIEoVlLMVyIbjncamNL4Xd3odpcyd4Ukn6bItU
> sUnVLMIV6AaB693fKmrw30nywV6fKtrQbmr6appLvByCzXbS7X2DMrvLeL+dbODTTDSo
> eajwTcTPS5LdU8ZeDVs9rLnTC4HFRVFTaUwk1w34DWHN
> ----- End Hush Signature v1.3 -----
>
>
> This message has been signed with a Hush Digital Signature.
> To verify the signature, please go to www.hush.com/tools
>
>
> Free, encrypted, secure Web-based email at www.hushmail.com
>
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple