03-13-2007, 09:57 PM
| | Re: cygwin security in sensitive production
> - Security on processing arbitrary data. What happens if your Bash Script
> running within Cygwin stumbles on strange filenames?
Depends on what it uses those names for, I guess..
I doubt there may be a buffer overflow flaws in the shellcode, but
anyway,, we shall try to avoid running shell scripts outside the
container (and only UNIX-type names will be allowed in the container).
The only Cygwin piece thing that's going to look outside the
is Tripwire binary. Tripwire, compiled in Cygwin from sour,
has proved to work on strange Windows filenames just fine.
Of course, it has not been tested against things like buffer
on long names, but we probably can make sure that names aren't too
on the whole Windows box.
> - Loader behaviour. At least not Cygwin itself, but some of Cygwin's tools
> might use what's called a ".shared" section, which effectively is shared
> memory among multiple instances of the same binary. If someone with normal
> user rights and an admin are running such a binary at the same time, and
> additionally the program holds security-relevant data in this shared
> memory, it might lead to privilege escalation, since there's no security
> boundary on such kind of shared memory.
OK. We shall watch for not running multiple instances. This should be
not too difficult - the load is very moderate, no incoming traffic to
(it will only push the data, and never pull).
I believe we should be able to control this.
Many thanks, the points you raised, added more to my watch list.
> Out of curiosity, how are your Unix boxes configured? I have heard
> that mandatory access controls (MAC) are difficult to setup on most
> versions of Unix. I am impressed that your organization has them B1
> certified. Anything special that you fellows had to do?
These will run Solaris 10 with Trusted Extentions.
Not sure how Solari's RBAC (Role Based Access Control) relates to MAC,
but there are few B1 certified servers in the house built by other
this way, so I hope this should be possible for our team, too.