This is the mail archive of the
mailing list for the Cygwin project.
Re: Is there someone offering cygwin paid support?
On Thu, Sep 20, 2007 at 03:08:55AM -0600, Warren Young wrote:
>Will Parsons wrote:
>>why would cygwin be less secure?
>The more moving parts, the more things there are to break.
>Postulate that you have a program that's been audited to the point that
>you're absolutely certain it's 100% secure when run on Linux.
>Then you port it to Cygwin. Is it secure? The answer cannot be "Yes"
>until you have also audited Cygwin itself to the same level of
>Just one way it could fail is if there is a buffer overflow in the
>implementation of one of Cygwin's interfaces, and your "100% secure"
>program calls it. It's then only a matter of time for a skilled hacker
>to turn that buffer overflow into an arbitrary code execution
>vulnerability. At minimum, the hacker will then have the privileges of
>the program. Once the hacker has local access, chances are good that
>he can parlay that into a privilege escalation attack, and it's Game
>Over for you.
>Security is hard.
I don't think I've given out a gold star for a clear explanation in a
long time but can we get one over here?
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html