[cvsnt] Re: cygwin ssh server and author being set to SYSTEM
Tony Hoyle
tmh at nodomain.org
Sun Jan 11 17:56:57 GMT 2004
Pavel Goran wrote:
> I understand your unwillingness to alter the (formally) correct
> behaviour of CVSNT. However, it may take long time for the bug to be
> fixed in Cygwin (and it may turn out to work only in Win2k3), and in
> CVSNT it can be worked around with only slight modifications.
The problem is it falls into the trap of trusting the client. That's
something you should never do... If you're using ssh to start with then
I presume security is an issue.
Fixing it properly might be possible, but there's a big caveat...
I knocked up a DLL that does proper setuid on Win2k/XP that could be
used for cygwin (or for cvsnt with pserver to remove the hack we have
now)... however I realized very quickly that at the level you have to
work to do that, Windows security doesn't exist (I've got a little EXE
that can take an ordinary user and give them a delegation level token
for the administrator account without knowing the password).
At that level opensource works against you... If I checkin the code to
do it properly into cvsnt even if I write it in such a way that you need
SeTcbName at least, it would take approx. 30 seconds for someone to
remove the checks...
The only mitigating factor is that you must be an admin to install it to
start with :)
Tony
More information about the cvsnt
mailing list