This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: multi user environment security due shared memory


On 12/2/05, Corinna Vinschen wrote:
> On Dec  2 13:43, andrea wrote:
> > What is the current status of the following security threats and how
> > would you rate security when running sshd in a multi user environment.
> >
> >  -Code execution in the context of an other user
> >  -Denial of service by overwriting the shared memory segments
> >   of cygwin
> >  -Data disclosure about processes of an other user by reading
> >   shared memory segments
> >  -Other security issues
>
> We're not aware of security implications, but we don't give any
> guarantee either and there's no such thing as a security survey
> for Cygwin.  If that's not sufficient for your company, feel
> free to contact Red Hat for a support contract which could cover
> are more detailed analysis, http://www.redhat.com/software/cygwin/
>

This is a little old, but I've updated
http://cygwin.com/cygwin-ug-net/highlights.html#ov-hi-perm
with the following (important bits from
http://cygwin.com/faq/faq.api.html#faq.api.secure ):

<blockquote>
Under Windows NT, users with Administrator rights are permitted to
chown files. With version 1.1.3 Cygwin introduced a mechanism for
setting real and effective UIDs under Windows NT/W2K. This is
described in the section called "NT security and usage of ntsec". As
of version 1.5.13, the Cygwin developers are not aware of any feature
in the Cygwin DLL that would allow users to gain privileges or to
access objects to which they have no rights under Windows. However
there is no guarantee that Cygwin is as secure as the Windows it runs
on. Cygwin processes share some variables and are thus easier targets
of denial of service type of attacks.
</blockquote>

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]