This is the mail archive of the
cygwin
mailing list for the Cygwin project.
multi user environment security due shared memory
- From: andrea <cygwin-temp at adnovum dot ch>
- To: cygwin at cygwin dot com
- Date: Fri, 02 Dec 2005 13:43:54 +0100
- Subject: multi user environment security due shared memory
Hi all,
Our company is looking at some security properties of cygwin. We want to
run a daemon like sshd in a multi user environment with cygrunsrv.
There was an entry [0] in your FAQ from 2000/09/13 that cygwin is not
secure in a multi user environment. This entry was replaced this year
[1], that as of 1.5.13 you are not aware of any feature to gain more
privileges than you have under Windows. For my understanding is this
newest FAQ entry in contrast to what you write in your user guide [2]
about the use of shared memory in your 'kernel'. There you write
"...it does constitute a security hole...".
I was not able to find any recent discussion about this topic on this
list (there was one in 2002 [3]). Is there some documentation describing
the shared memory segments accessible by all cygwin users?
What is the current status of the following security threats and how
would you rate security when running sshd in a multi user environment.
-Code execution in the context of an other user
-Denial of service by overwriting the shared memory segments
of cygwin
-Data disclosure about processes of an other user by reading
shared memory segments
-Other security issues
Thanks for your help
andrea
[0] cvs rev 1.1 of winsup/doc/how-api.texinfo
[1] http://cygwin.com/faq/faq.api.html#faq.api.secure
[2] http://cygwin.com/cygwin-ug-net/highlights.html#ov-hi-perm
[3] http://www.cygwin.com/ml/cygwin/2002-12/msg01457.html
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/