This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Unable to compile cygwin

At 10:47 AM 12/24/2003 -0500, Christopher Faylor wrote:
>On Wed, Dec 24, 2003 at 10:37:55AM -0500, Pierre A. Humblet wrote:
>>At 11:57 PM 12/22/2003 -0500, Christopher Faylor wrote:
>>>On Mon, Dec 22, 2003 at 11:13:00PM -0500, Pierre A. Humblet wrote:
>>>>I believe that the latest snapshot is "as secure as Windows" in the case
>>>>where the only Cygwin processes are logged in using Terminal Services
>>>>on Windows 2003 or Windows 2000 sp4, and do not have the "Create Global
>>>>Object" privilege (please don't laugh, that's an achievement).
>>>>That is, if such a user runs cygwin compiled programs under a cygwin
shell,
>>>>he is no more exposed and has no more power that if running regular
Windows 
>>>>programs under cmd.exe
>>>
>>>There are still other holes.
>>>
>>>However, while I understand that there is no real security in security
>>>through obscurity, I don't think it is useful to discuss all of the
>>>specific holes we know of in a public list.
>>
>>Can you be more explicit on this list, or privately?
>
>http://sources.redhat.com/ml/cygwin-patches/2003-q4/msg00226.html

Sure, but the situation there is a privileged parent with a seteuid'ed
child. It's outside the limited scope I had in mind:
" where the only Cygwin processes are logged in using Terminal Services
on Windows 2003 or Windows 2000 sp4, and do not have the "Create Global
Object" privilege "

Pierre
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]