This is the mail archive of the
mailing list for the Cygwin project.
Re: Is there someone offering cygwin paid support?
On Thu, 20 Sep 2007, Christopher Faylor wrote:
> On Thu, Sep 20, 2007 at 03:08:55AM -0600, Warren Young wrote:
> >Will Parsons wrote:
> >>why would cygwin be less secure?
> >The more moving parts, the more things there are to break.
> >Postulate that you have a program that's been audited to the point that
> >you're absolutely certain it's 100% secure when run on Linux.
> >Then you port it to Cygwin. Is it secure? The answer cannot be "Yes"
> >until you have also audited Cygwin itself to the same level of
> >Just one way it could fail is if there is a buffer overflow in the
> >implementation of one of Cygwin's interfaces, and your "100% secure"
> >program calls it. It's then only a matter of time for a skilled hacker
> >to turn that buffer overflow into an arbitrary code execution
> >vulnerability. At minimum, the hacker will then have the privileges of
> >the program. Once the hacker has local access, chances are good that
> >he can parlay that into a privilege escalation attack, and it's Game
> >Over for you.
> >Security is hard.
> I don't think I've given out a gold star for a clear explanation in a
> long time but can we get one over here?
P.S. I also owe quite a few to folks on the cygwin-apps list...
|\ _,,,---,,_ firstname.lastname@example.org | email@example.com
ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!)
|,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
Belief can be manipulated. Only knowledge is dangerous. -- Frank Herbert
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html