We would like to use a Cgywin-based OpenSSH implementation (http://lexa.mckenna.edu/sshwindows/) for running tasks remotely on Windows (2000, XP) systems. The systems involved would have this OpenSSH distribution installed on them, but not a full Cygwin distribution. The security issue of non-administrators being able to open the named memory-mapped files used by Cygwin (for example, the pinfo class) is a concern, however.
We can live with the restriction of a single-user model, where tasks on the target system can only be run as a user in the Administrator group. In this situation it seems to me that some restrictions on the SECURITY_DESCRIPTORs used for CreateFileMapping() could be made. To test this idea with a simple change, I changed early_init_stuff() in exceptions.cc so set the sec_all and sec_all_nih struct's lpSecurityDescriptor to NULL, just like the sec_none struct is currently. Without this change I was able to OpenFileMapping() and MapViewOfFile() on the pinfo memory-mapped file as a non-administrator. With this change, I couldn't. Now I am wondering, "Is restricting the SECURITY_DECRIPTORs for named memory-mapped files a reasonable way to close this vulnerability (given our willingness to settle for single-user)?" If it is, the next question is, "Is it good for anything else?" In a multi-user Cygwin context, it seems unhelpful, but does it make sense to have a "single-user" configuration of Cygwin with improved security? Jon Warden -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
