This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Single-user Cygwin for improved security under standalone use with OpenSSH

We would like to use a Cgywin-based OpenSSH implementation
for running tasks remotely on Windows (2000, XP) systems. The systems
involved would have this
OpenSSH distribution installed on them, but not a full Cygwin distribution.
The security issue
of non-administrators being able to open the named memory-mapped files used
by Cygwin (for example,
the pinfo class) is a concern, however.

We can live with the restriction of a single-user model, where tasks on the
target system can
only be run as a user in the Administrator group. In this situation it seems
to me that some
restrictions on the SECURITY_DESCRIPTORs used for CreateFileMapping() could
be made. To test 
this idea with a simple change, I changed early_init_stuff() in so set the
sec_all and sec_all_nih struct's lpSecurityDescriptor to NULL, just like the
sec_none struct 
is currently. 

Without this change I was able to OpenFileMapping() and MapViewOfFile() on
the pinfo memory-mapped
file as a non-administrator. With this change, I couldn't.

Now I am wondering, "Is restricting the SECURITY_DECRIPTORs for named
memory-mapped files a
reasonable way to close this vulnerability (given our willingness to settle
for single-user)?"

If it is, the next question is, "Is it good for anything else?" In a
multi-user Cygwin context, 
it seems unhelpful, but does it make sense to have a "single-user"
configuration of Cygwin
with improved security?

Jon Warden

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]