The security of OpenSSH with cygwin.

Robert Collins robert.collins@itdomain.com.au
Mon May 21 16:44:00 GMT 2001


Egor Duda has spent some time researching security aspects of cygwin
(and patching as he goes). So he's a more authoritative source.

I know of at least one showstopper: It's currently possible for any
cygwin process to get a win32 handle with full access rights to any
other cygwin process. See the archives of the developer list for more
detail. (search on daemon - Egor has proposed a daemon to resolve the
issue).

Rob

> -----Original Message-----
> From: joetesta@hushmail.com [ mailto:joetesta@hushmail.com ]
> Sent: Tuesday, May 22, 2001 1:10 PM
> To: bugtraq@securityfocus.com; cygwin@cygwin.com
> Subject: The security of OpenSSH with cygwin.
> 
> 
> ----- Begin Hush Signed Message from joetesta@hushmail.com -----
> 
> Hi --
> 
>     I am about to undertake a project using OpenSSH with 
> cygwin ( http://www.cygwin.com/ ). 
>  Before doing so, I would like to ask if there is anyone who 
> has done any 
> security research on this combination already.
>     I have never seen any advisories on the BUGTRAQ mailing 
> list, and this 
> makes me a little uneasy (generally, I don't trust software 
> that hasn't 
> had at least one security fix in its history, unless I am its 
> author =] 
> ).  I have been trained enough to realize that complexity is 
> security's 
> enemy, and using the cygwin library to wrap the UNIX API with 
> the Window's 
> API definitely makes things more complex.
>     So, I'd like to know how many people have *at least 
> tried* to find holes 
> in an OpenSSH-cygwin combo.  I think I would feel a little 
> better if I know 
> that an honest attempt was made.  Thanks in advance.
> 
> 
>     - Joe Testa
> 
> e-mail:   joetesta@hushmail.com
> web page: http://hogs.rit.edu/~joet
> AIM:      LordSpankatron
> 
> 
> ----- Begin Hush Signature v1.3 -----
> Eb5nyu04VZj5/7cmeklvZ79BqUGto/ln3c8Cy4H5R2EsgxhXqTwbDxpszhCGF/+6BrJ/
> oYY1nBWSKT97BDy017HHfWt0JBhZy4wfP9VbqmRzFx2QAJr6dVS9VRf9/5DWVM4+7SSX
> 6vZvBPiygdYujzlDmEIrziP9PGXL8+/fRj98pgGE53uKc9yIcDKmef1Uf1q7z5pPy8O7
> PE+IRCtF7jUtr4PTOV935d9499lXvM547MDvvx4394WDskG8prKyYaE9uZKc1wzCA0ob
> z7Gvhz4i9jAZIXXJ+m8Z4EU3n9gLpy/gz25grXO7ktH54ZEDdmQ25j3za+bIFCZ3u93w
> VbbYxKO6rQOjvPWTatcPHGC6TwBh+JxIEoVlLMVyIbjncamNL4Xd3odpcyd4Ukn6bItU
> sUnVLMIV6AaB693fKmrw30nywV6fKtrQbmr6appLvByCzXbS7X2DMrvLeL+dbODTTDSo
> eajwTcTPS5LdU8ZeDVs9rLnTC4HFRVFTaUwk1w34DWHN
> ----- End Hush Signature v1.3 -----
> 
> 
> This message has been signed with a Hush Digital Signature. 
> To verify the signature, please go to www.hush.com/tools
> 
> 
> Free, encrypted, secure Web-based email at www.hushmail.com
> 

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list