This is the mail archive of the
mailing list for the Cygwin project.
Re: multi user environment security due shared memory
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Fri, 2 Dec 2005 14:03:49 +0100
- Subject: Re: multi user environment security due shared memory
- References: <4390418A.email@example.com>
- Reply-to: cygwin at cygwin dot com
On Dec 2 13:43, andrea wrote:
> Hi all,
> Our company is looking at some security properties of cygwin. We want to
> run a daemon like sshd in a multi user environment with cygrunsrv.
> There was an entry  in your FAQ from 2000/09/13 that cygwin is not
> secure in a multi user environment. This entry was replaced this year
> , that as of 1.5.13 you are not aware of any feature to gain more
> privileges than you have under Windows. For my understanding is this
> newest FAQ entry in contrast to what you write in your user guide 
> about the use of shared memory in your 'kernel'. There you write
> "...it does constitute a security hole...".
> I was not able to find any recent discussion about this topic on this
> list (there was one in 2002 ). Is there some documentation describing
> the shared memory segments accessible by all cygwin users?
> What is the current status of the following security threats and how
> would you rate security when running sshd in a multi user environment.
> -Code execution in the context of an other user
> -Denial of service by overwriting the shared memory segments
> of cygwin
> -Data disclosure about processes of an other user by reading
> shared memory segments
> -Other security issues
We're not aware of security implications, but we don't give any
guarantee either and there's no such thing as a security survey
for Cygwin. If that's not sufficient for your company, feel
free to contact Red Hat for a support contract which could cover
are more detailed analysis, http://www.redhat.com/software/cygwin/
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat, Inc.
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html