This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: cygwin1.dll


Igor,
Thanks for this info.
The only Cygwin executables being installed will be those to support OpenSSH
on 
that machine e.g. ssh-keygen,scp,sftp etc.
I still do not have a clear understanding of how a user could "hijack" a
cygwin process
running as system account,effectively bypassing system security.
Any info. would be most appreciated.
Thanks. 


> Best Regards
> Jim 
> 		_______________________________________________
> 		BTcd  Computing Partners
> 		Intelligent Systems Management            



-----Original Message-----
From: Igor Pechtchanski [mailto:pechtcha@cs.nyu.edu]
Sent: 24 January 2003 16:36
To: Davidson,JA,Jim,YES82 R
Cc: cygwin@cygwin.com
Subject: Re: cygwin1.dll


On Fri, 24 Jan 2003 jim.a.davidson@bt.com wrote:

> Sirs,
> We are proposing to use the Red Hat OpenSSH package on our NT/W2K servers
> but some concerns
> have been raised re. the Cygwin1.dll shared memory vulnerability.
> As the only Cygwin application running on these machines will be OpenSSH I
> am not sure how
> significant a risk may exist.
> Can you please explain how this vulnerabilty could be exploited so that we
> can determine
> what if any counter measures we could deploy.
> Thanks.

Jim,

I'd like to correct one misconception in your message.  You said that
OpenSSH (I assume you mean sshd) will be "the only Cygwin application
running on these machines".  However, any time a user logs on, sshd will
spawn a shell, and that will spawn whatever other applications the user
runs.  Some of them will most certainly be Cygwin applications.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Oh, boy, virtual memory! Now I'm gonna make myself a really *big* RAMdisk!
  -- /usr/games/fortune


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]