This is the mail archive of the
cygwin-developers@cygwin.com
mailing list for the Cygwin project.
Re: How secure is Cygwin in a multi-user environment?
- From: Corinna Vinschen <vinschen at redhat dot com>
- To: cygwin-developers at cygwin dot com
- Date: Wed, 2 Mar 2005 10:12:13 +0100
- Subject: Re: How secure is Cygwin in a multi-user environment?
- References: <3.0.5.32.20050301213321.00b6a228@verizon.net>
- Reply-to: cygwin-developers at cygwin dot com
On Mar 1 21:33, Pierre A. Humblet wrote:
> [...]
> This isn't up to date any more, the hole described above is now fixed.
> So the entry should be updated. I suggest replacing it with the following:
>
> How secure is Cygwin in a multi-user environment?
>
> As of version 1.5.13, the Cygwin developers are not aware of any feature
> in the cygwin dll that would allow users to gain privileges or to access
> objects
> to which they have no rights under Windows.
> Cygwin processes share some variables and are thus easier targets of
> denial of service type of attacks.
What I really like to see is the hint that we don't give any guarantee
for being "secure".
> Not sure what to say, if anything, about cygserver.
Cygserver checks the impersonation token after calling
ImpersonateNamedPipeClient, so I would think cygserver is reasonably
secure. No guarantee, of course.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader mailto:cygwin@cygwin.com
Red Hat, Inc.