Hi, I've just updated the subject line for accuracy. Only remote/reverse unix socket forwarding fails.
Further, I have a clarification that might have significance: On 8/08/2023 3:40 am, Corinna Vinschen via Cygwin wrote: > On Aug 7 22:11, Shaddy Baddah via Cygwin wrote: .. > >> DISABLE_FD_PASS is always set by autoconf for Cygwin. And my reading is >> that not having that capability effectively means whatever the other >> criteria, the executing process doesn't have sufficient "separation" of >> privilege to be treated in the same manner. Perhaps contrary to expectation, with the more conventional remote/reverse TCP port forwarding, with Cygwin sshd, the LISTEN port exists in the, is it called the monitor (http://www.citi.umich.edu/u/provos/ssh/priv.jpg)/intermediatary sshd process. So something like: |>~C |ssh> -R 12345:22 will result in a (confirmed by netstat) LISTEN port in the SYSTEM owned sshd process, which is the parent of the non-privileged owned sshd process. I'm not suggesting that this is not a considered situation, because to my knowledge, it's a much different situation allowing an ssh user to manipulate the filesystem (for unix sockets), as SYSTEM. Than using netsocks as SYSTEM to try and bind TCP ports... I think??? But it certainly aligns with my newfound understanding of Cygwin's "trade-off" form of privilege separation. -- Regards, Shaddy -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
