This is the mail archive of the
mailing list for the Cygwin project.
Re: Single-user Cygwin for improved security under standalone use with OpenSSH
This is coming from a different angle, but have you thought of tightening
security using the SSH server instead? I think you are considering opening
up an interactive session using SSH in order to execute arbitrary commands
on the remote system. However, you can configure ssh on a per-account basis
to use forced commands rather than executing whatever program the user
wants. You can write a script to parse the command sent by the user and
then execute the appropriate program. You can also disable tty and
interactive sessions. It seems like this might be a simpler approach than
trying to restrict what an ssh user can do in an interactive session.
The O'Reilly book "SSH, the Secure Shell: The Definitive Guide" (see
http://safari.oreilly.com/0596000111) is an excellent source for how to do
----- Original Message -----
From: "WARDEN,JON (HP-FtCollins,ex1)" <firstname.lastname@example.org>
Sent: Tuesday, July 08, 2003 6:39 PM
Subject: Single-user Cygwin for improved security under standalone use with
> We would like to use a Cgywin-based OpenSSH implementation
> for running tasks remotely on Windows (2000, XP) systems. The systems
> involved would have this
> OpenSSH distribution installed on them, but not a full Cygwin
> The security issue
> of non-administrators being able to open the named memory-mapped files
> by Cygwin (for example,
> the pinfo class) is a concern, however.
> We can live with the restriction of a single-user model, where tasks on
> target system can
> only be run as a user in the Administrator group. In this situation it
> to me that some
> restrictions on the SECURITY_DESCRIPTORs used for CreateFileMapping()
> be made. To test
> this idea with a simple change, I changed early_init_stuff() in
> exceptions.cc so set the
> sec_all and sec_all_nih struct's lpSecurityDescriptor to NULL, just like
> sec_none struct
> is currently.
> Without this change I was able to OpenFileMapping() and MapViewOfFile() on
> the pinfo memory-mapped
> file as a non-administrator. With this change, I couldn't.
> Now I am wondering, "Is restricting the SECURITY_DECRIPTORs for named
> memory-mapped files a
> reasonable way to close this vulnerability (given our willingness to
> for single-user)?"
> If it is, the next question is, "Is it good for anything else?" In a
> multi-user Cygwin context,
> it seems unhelpful, but does it make sense to have a "single-user"
> configuration of Cygwin
> with improved security?
> Jon Warden
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> Problem reports: http://cygwin.com/problems.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html