Re: Is there someone offering cygwin paid support?
Will Parsons wrote: why would cygwin be less secure? The more moving parts, the more things there are to break. Postulate that you have a program that's been audited to the point that you're absolutely certain it's 100% secure when run on Linux. Then you port it to Cygwin. Is it secure? The answer cannot be Yes until you have also audited Cygwin itself to the same level of assurance. Just one way it could fail is if there is a buffer overflow in the implementation of one of Cygwin's interfaces, and your 100% secure program calls it. It's then only a matter of time for a skilled hacker to turn that buffer overflow into an arbitrary code execution vulnerability. At minimum, the hacker will then have the privileges of the program. Once the hacker has local access, chances are good that he can parlay that into a privilege escalation attack, and it's Game Over for you. Security is hard. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
On Thu, 20 Sep 2007, Christopher Faylor wrote: On Thu, Sep 20, 2007 at 03:08:55AM -0600, Warren Young wrote: Will Parsons wrote: why would cygwin be less secure? The more moving parts, the more things there are to break. Postulate that you have a program that's been audited to the point that you're absolutely certain it's 100% secure when run on Linux. Then you port it to Cygwin. Is it secure? The answer cannot be Yes until you have also audited Cygwin itself to the same level of assurance. Just one way it could fail is if there is a buffer overflow in the implementation of one of Cygwin's interfaces, and your 100% secure program calls it. It's then only a matter of time for a skilled hacker to turn that buffer overflow into an arbitrary code execution vulnerability. At minimum, the hacker will then have the privileges of the program. Once the hacker has local access, chances are good that he can parlay that into a privilege escalation attack, and it's Game Over for you. Security is hard. I don't think I've given out a gold star for a clear explanation in a long time but can we get one over here? Certainly: http://cygwin.com/goldstars/#WY. Igor P.S. I also owe quite a few to folks on the cygwin-apps list... -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_[EMAIL PROTECTED] | [EMAIL PROTECTED] ZZZzz /,`.-'`'-. ;-;;,_Igor Peshansky, Ph.D. (name changed!) |,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! Belief can be manipulated. Only knowledge is dangerous. -- Frank Herbert -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
On Thu, Sep 20, 2007 at 03:08:55AM -0600, Warren Young wrote: Will Parsons wrote: why would cygwin be less secure? The more moving parts, the more things there are to break. Postulate that you have a program that's been audited to the point that you're absolutely certain it's 100% secure when run on Linux. Then you port it to Cygwin. Is it secure? The answer cannot be Yes until you have also audited Cygwin itself to the same level of assurance. Just one way it could fail is if there is a buffer overflow in the implementation of one of Cygwin's interfaces, and your 100% secure program calls it. It's then only a matter of time for a skilled hacker to turn that buffer overflow into an arbitrary code execution vulnerability. At minimum, the hacker will then have the privileges of the program. Once the hacker has local access, chances are good that he can parlay that into a privilege escalation attack, and it's Game Over for you. Security is hard. I don't think I've given out a gold star for a clear explanation in a long time but can we get one over here? cgf -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is there someone offering cygwin paid support?
On 20 September 2007 10:09, Warren Young wrote: Will Parsons wrote: why would cygwin be less secure? Just one way it could fail is if there is a buffer overflow in the implementation of one of Cygwin's interfaces, and your 100% secure program calls it. It's then only a matter of time for a skilled hacker to turn that buffer overflow into an arbitrary code execution vulnerability. At minimum, the hacker will then have the privileges of the program. Once the hacker has local access, chances are good that he can parlay that into a privilege escalation attack, and it's Game Over for you. It's worse than that - he's dead, Jim. Cygwin does actually introduce one gaping security hole: the shared memory section. It's an artifact of the fact that we're trying to emulate an entire posix system, and so we need to maintain global state across multiple processes. Because we're not the kernel, we can't just keep process lists and so on in kernel memory where all processes can access them, so we have to find a way of sharing memory between different processes in used mode; the shared section is a way of doing this. Unfortunately, that means that low-privilege processes (running as a limited user) and high-privilege processes (running services as SYSTEM, for example) have an uncontrolled connection between them. It's entirely likely that a guest user, by manipulating the contents of the shared memory section, could inject code into or otherwise divert or seize control of any SYSTEM-level cygwin process. That's yer privilege escalation right there, that is. cheers, DaveK -- Can't think of a witty .sigline today -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
Marko, the best way for you would be to throw Windows out and use a mature unix like o.s. Cygwin documents that it is not made for secure operation, due to Captial w windows, faults cheers. d. henman Steve Holden [EMAIL PROTECTED] wrote: Marko Loparic wrote: Hello Steve, On 9/17/07, Steve Holden [EMAIL PROTECTED] wrote: Just a quick note, by the way, to question your apparent assumption that paid support will get you any further than using this list! I have already tried the list, some people helped, someone suggested me to use cacls, which certainly put me closer to the solution, but it was not enough. If you have an idea of what else I could try please tell me. DOS commands have no permission problem, emacs for windows also opens the directory without problems, but all cygwin commands get a permission denied error... Sorry, if people like Dave Korn can't help I doubt anything I bring to the party will be of more assistance. I think the people most likely to help are the administrators who put those funky access control lists on the share. I suppose one thing you could do is use a local security policy to audit directory access: that might give you some clue as to why Cygwin processes were being denied access, but there are no guarantees. Auditing on the server might also give you further information. regards Steve -- Steve Holden+1 571 484 6266 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Skype: holdenweb http://del.icio.us/steve.holden Sorry, the dog ate my .sigline -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
PROBLEM SOLVED! (was: Re: Is there someone offering cygwin paid support?)
THE PROBLEM IS SOLVED. Thanks a lot to everyone that helped. The problem disappeared by itself without any manipulations on my side. Probably the network administrators changed something. Keith: thanks for the tip of using Process Explorer. It is a very nice tool. d. henman: switching to linux is a good idea, I did it at home, but at work I am not allowed (I know, perhaps I should change the job too...) Steve: thanks for the help and the suggestions. Have a good day, Marko On 9/17/07, Keith Christian [EMAIL PROTECTED] wrote: - Original Message From: Marko Loparic [EMAIL PROTECTED] To: cygwin@cygwin.com Sent: Monday, September 17, 2007 1:49:39 PM Subject: Re: Is there someone offering cygwin paid support? Hello Steve, On 9/17/07, Steve Holden [EMAIL PROTECTED] wrote: Just a quick note, by the way, to question your apparent assumption that paid support will get you any further than using this list! I have already tried the list, some people helped, someone suggested me to use cacls, which certainly put me closer to the solution, but it was not enough. If you have an idea of what else I could try please tell me. DOS commands have no permission problem, emacs for windows also opens the directory without problems, but all cygwin commands get a permission denied error... Thanks, Marko Marko, you could download Process Explorer (http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx) and use it to watch for Windows messages while trying to access the directories/files you are having problems with. It's an excellent tool. =Keith -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
On Tue, Sep 18, 2007 at 03:58:29PM +0900, d.henman wrote: Marko, the best way for you would be to throw Windows out and use a mature unix like o.s. Cygwin documents that it is not made for secure operation, due to Captial w windows, faults Cygwin potentially adds a whole other layer of insecurity on top of Windows. We do try to keep security in mind but, nevertheless, we don't recommend using Cygwin in a secure instalation unless there has been quite a bit of validation. In other words, the burden of proving security is up to the person deploying Cygwin. cgf -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
Will Parsons wrote: I'm curious about this. I think I recall from years ago a response to an enquiry about cygwin security that was basically along the lines that cygwin is as secure as the underlying Windows system. That made sense to me - why would cygwin be less secure? Fundamentally, yes, Cygwin is just a normal user mode library so at the end of the day all the security restrictions of the operating system still apply. But consider what happens if you compile POSIX code that uses e.g. chroot(). There is no such syscall on Windows, so Cygwin emulates it. But since Cygwin is not part of the operating system, it can't actually prevent the program from accessing something outside of the new root, say by directly calling the Win32 API or using a Win32 filename. A server daemon for example that ran in a chroot jail would represent a valid security technique on Linux -- this would work as well on paper in Cygwin but it would represent a false sense of security because it's not actually going to prevent much. Brian -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
Christopher Faylor wrote: Cygwin potentially adds a whole other layer of insecurity on top of Windows. We do try to keep security in mind but, nevertheless, we don't recommend using Cygwin in a secure instalation unless there has been quite a bit of validation. I'm curious about this. I think I recall from years ago a response to an enquiry about cygwin security that was basically along the lines that cygwin is as secure as the underlying Windows system. That made sense to me - why would cygwin be less secure? - Will -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is there someone offering cygwin paid support?
Marko Loparic wrote on Friday, September 14, 2007 3:42 PM:: Hello, Is there someone that could offer paid support for a cygwin problem I have? I have tried to contact Red Hat but they did not seem interested in offering support for the type of problem I have (or perhaps I didn't reach the right person...). It is described in the cygwin list: http://cygwin.com/ml/cygwin/2007-02/msg00023.html http://cygwin.com/ml/cygwin/2007-08/msg00468.html http://cygwin.com/ml/cygwin/2007-08/msg00517.html Some people helped, but it was not enough to solve the problem. Thanks a lot, Marko Nobody seems to have noticed that the group is listed as mkgroup-l-d. This suggests that you need to set up /etc/groups properly by running the command: mkgroup -l /etc/group or more likely in this case (as it's a network share): mkgroup -d /etc/group For more information, man mkgroup and/or man mkpasswd. No charge, no guarantee. (If it sorts out your problem, my insincere apologies go to anyone who fancied making a quick buck!) Phil -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
Hi Phil, I have also tried to do what you say but it did not solve the problem. Thanks a lot anyway, Marko On 9/17/07, Phil Betts [EMAIL PROTECTED] wrote: Marko Loparic wrote on Friday, September 14, 2007 3:42 PM:: Hello, Is there someone that could offer paid support for a cygwin problem I have? I have tried to contact Red Hat but they did not seem interested in offering support for the type of problem I have (or perhaps I didn't reach the right person...). It is described in the cygwin list: http://cygwin.com/ml/cygwin/2007-02/msg00023.html http://cygwin.com/ml/cygwin/2007-08/msg00468.html http://cygwin.com/ml/cygwin/2007-08/msg00517.html Some people helped, but it was not enough to solve the problem. Thanks a lot, Marko Nobody seems to have noticed that the group is listed as mkgroup-l-d. This suggests that you need to set up /etc/groups properly by running the command: mkgroup -l /etc/group or more likely in this case (as it's a network share): mkgroup -d /etc/group For more information, man mkgroup and/or man mkpasswd. No charge, no guarantee. (If it sorts out your problem, my insincere apologies go to anyone who fancied making a quick buck!) Phil -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
Marko Loparic wrote: Hi Phil, I have also tried to do what you say but it did not solve the problem. Thanks a lot anyway, Just a quick note, by the way, to question your apparent assumption that paid support will get you any further than using this list! The information you get here is straight from the horse's mouth, by the developers of the software. I doubt there is anyone better-informed about the issues, and paying for support doesn't actually get you anything better, nor any guarantee that your issues will be resolved. We are all lucky they are prepared to contribute so willingly and so much. regards Steve -- Steve Holden+1 571 484 6266 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Skype: holdenweb http://del.icio.us/steve.holden Sorry, the dog ate my .sigline -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
- Original Message From: Marko Loparic [EMAIL PROTECTED] To: cygwin@cygwin.com Sent: Monday, September 17, 2007 1:49:39 PM Subject: Re: Is there someone offering cygwin paid support? Hello Steve, On 9/17/07, Steve Holden [EMAIL PROTECTED] wrote: Just a quick note, by the way, to question your apparent assumption that paid support will get you any further than using this list! I have already tried the list, some people helped, someone suggested me to use cacls, which certainly put me closer to the solution, but it was not enough. If you have an idea of what else I could try please tell me. DOS commands have no permission problem, emacs for windows also opens the directory without problems, but all cygwin commands get a permission denied error... Thanks, Marko Marko, you could download Process Explorer (http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx) and use it to watch for Windows messages while trying to access the directories/files you are having problems with. It's an excellent tool. =Keith -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
Hello Steve, On 9/17/07, Steve Holden [EMAIL PROTECTED] wrote: Just a quick note, by the way, to question your apparent assumption that paid support will get you any further than using this list! I have already tried the list, some people helped, someone suggested me to use cacls, which certainly put me closer to the solution, but it was not enough. If you have an idea of what else I could try please tell me. DOS commands have no permission problem, emacs for windows also opens the directory without problems, but all cygwin commands get a permission denied error... Thanks, Marko -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is there someone offering cygwin paid support?
Marko Loparic wrote: Hello Steve, On 9/17/07, Steve Holden [EMAIL PROTECTED] wrote: Just a quick note, by the way, to question your apparent assumption that paid support will get you any further than using this list! I have already tried the list, some people helped, someone suggested me to use cacls, which certainly put me closer to the solution, but it was not enough. If you have an idea of what else I could try please tell me. DOS commands have no permission problem, emacs for windows also opens the directory without problems, but all cygwin commands get a permission denied error... Sorry, if people like Dave Korn can't help I doubt anything I bring to the party will be of more assistance. I think the people most likely to help are the administrators who put those funky access control lists on the share. I suppose one thing you could do is use a local security policy to audit directory access: that might give you some clue as to why Cygwin processes were being denied access, but there are no guarantees. Auditing on the server might also give you further information. regards Steve -- Steve Holden+1 571 484 6266 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Skype: holdenweb http://del.icio.us/steve.holden Sorry, the dog ate my .sigline -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Is there someone offering cygwin paid support?
Hello, Is there someone that could offer paid support for a cygwin problem I have? I have tried to contact Red Hat but they did not seem interested in offering support for the type of problem I have (or perhaps I didn't reach the right person...). It is described in the cygwin list: http://cygwin.com/ml/cygwin/2007-02/msg00023.html http://cygwin.com/ml/cygwin/2007-08/msg00468.html http://cygwin.com/ml/cygwin/2007-08/msg00517.html Some people helped, but it was not enough to solve the problem. Thanks a lot, Marko -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/