This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
Re: inetd security issues
On Tue, Jul 10, 2001 at 09:40:53PM +1000, Carl Masens wrote:
> In wanting to run the inetd ftp server on my cygwin/win2k box I have had
> the following exchange with my admin:
>
> me:
> What have I got installed (I hear you thinking)? I have installed Cygwin
> (http://www.cygwin.com) and run the inetd application, having removed all
> entries but specific user accounts from /etc/passwd except the SYSTEM and
> ADMINISTRATORS.
>
> admin:
> Seeing as you're using inetd, I presume it leaves ports open for access?
> Which ports are open? This is more relevant that enabling or disabling user
> accounts, as most attacks involve vulnerabilities in software listening on
> a particular port. How open to buffer overruns is Cygwin? What I'm getting
> at is will a buffer overrun just crash the program/API/OS or will it allow
> code to be executed locally as SYSTEM or ADMINISTRATOR?
>
> so, can anyone answer these questions from my admin?
Using Cygwin is not secure at all. If you or your admin has
honest security concerns don't open up the system by providing
services via inetd
A better way to access your system is an sshd which runs under
a non-privileged user account using public key authentication.
Even if somebody finds a hole in OpenSSH, using the non-privileged
account prevents that a hacker gets admin access on that machine.
The system is then as secure as you are handling your private key
file.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/