This is the mail archive of the
mailing list for the Cygwin project.
Single-user Cygwin for improved security under standalone use with OpenSSH
- From: "WARDEN,JON (HP-FtCollins,ex1)" <jon dot warden at hp dot com>
- To: "'cygwin at cygwin dot com'" <cygwin at cygwin dot com>
- Date: Tue, 8 Jul 2003 18:39:40 -0400
- Subject: Single-user Cygwin for improved security under standalone use with OpenSSH
We would like to use a Cgywin-based OpenSSH implementation
for running tasks remotely on Windows (2000, XP) systems. The systems
involved would have this
OpenSSH distribution installed on them, but not a full Cygwin distribution.
The security issue
of non-administrators being able to open the named memory-mapped files used
by Cygwin (for example,
the pinfo class) is a concern, however.
We can live with the restriction of a single-user model, where tasks on the
target system can
only be run as a user in the Administrator group. In this situation it seems
to me that some
restrictions on the SECURITY_DESCRIPTORs used for CreateFileMapping() could
be made. To test
this idea with a simple change, I changed early_init_stuff() in
exceptions.cc so set the
sec_all and sec_all_nih struct's lpSecurityDescriptor to NULL, just like the
Without this change I was able to OpenFileMapping() and MapViewOfFile() on
the pinfo memory-mapped
file as a non-administrator. With this change, I couldn't.
Now I am wondering, "Is restricting the SECURITY_DECRIPTORs for named
memory-mapped files a
reasonable way to close this vulnerability (given our willingness to settle
If it is, the next question is, "Is it good for anything else?" In a
multi-user Cygwin context,
it seems unhelpful, but does it make sense to have a "single-user"
configuration of Cygwin
with improved security?
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html