From 7486d0c0192a9b2a3c90f3dde3e65d647f6d118c Mon Sep 17 00:00:00 2001 From: Joshua Daniel Franklin Date: Thu, 3 Mar 2005 16:36:08 +0000 Subject: [PATCH] Add Pierre's security text. --- winsup/doc/ChangeLog | 4 ++++ winsup/doc/how-api.texinfo | 17 ++++++----------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/winsup/doc/ChangeLog b/winsup/doc/ChangeLog index cd20e8770..fdd3ce22d 100644 --- a/winsup/doc/ChangeLog +++ b/winsup/doc/ChangeLog @@ -1,3 +1,7 @@ +2005-03-03 Joshua Daniel Franklin + + * how-api.texinfo: Add Pierre's security text. + 2005-02-23 Joshua Daniel Franklin * README: New file. diff --git a/winsup/doc/how-api.texinfo b/winsup/doc/how-api.texinfo index 0d217c155..5490946a1 100644 --- a/winsup/doc/how-api.texinfo +++ b/winsup/doc/how-api.texinfo @@ -174,17 +174,12 @@ ones which have a "#!" as their first characters. @subsection How secure is Cygwin in a multi-user environment? -Cygwin is not secure in a multi-user environment. For -example if you have a long running daemon such as "inetd" -running as admin while ordinary users are logged in, or if -you have a user logged in remotely while another user is logged -into the console, one cygwin client can trick another into -running code for it. In this way one user may gain the -privilege of another cygwin program running on the machine. -This is because cygwin has shared state that is accessible by -all processes. - -(Thanks to Tim Newsham (newsham@@lava.net) for this explanation). +As of version 1.5.13, the Cygwin developers are not aware of any feature +in the cygwin dll that would allow users to gain privileges or to access +objects to which they have no rights under Windows. However there is no +guarantee that Cygwin is as secure as the Windows it runs on. Cygwin +processes share some variables and are thus easier targets of denial of +service type of attacks. @subsection How do the net-related functions work?