This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: How secure is Cygwin in a multi-user environment?


On Mar  1 21:33, Pierre A. Humblet wrote:
> [...]
> This isn't up to date any more, the hole described above is now fixed.
> So the entry should be updated. I suggest replacing it with the following:
> 
> How secure is Cygwin in a multi-user environment?
> 
> As of version 1.5.13, the Cygwin developers are not aware of any feature
> in the cygwin dll that would allow users to gain privileges or to access
> objects
> to which they have no rights under Windows.
> Cygwin processes share some variables and are thus easier targets of 
> denial of service type of attacks.

What I really like to see is the hint that we don't give any guarantee
for being "secure".

> Not sure what to say, if anything, about cygserver. 

Cygserver checks the impersonation token after calling
ImpersonateNamedPipeClient, so I would think cygserver is reasonably
secure.  No guarantee, of course.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          mailto:cygwin@cygwin.com
Red Hat, Inc.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]