nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-04-20 20:45:02 -05:00
Code Issues Projects Releases Wiki Activity

Document '-restrict-acl' vs subprocesses.

Browse Source 
(Since we've thought about it.)
This commit is contained in:
Jacob Nevins 2017-02-04 12:12:18 +00:00
parent e4ad487fec
commit 72c3c23ebd
2 changed files with 18 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/index.but
View File

@ -863,3 +863,7 @@ saved sessions from
\IM{64-bit Windows} 64-bit Windows \IM{64-bit Windows} 64-bit Windows
\IM{64-bit Windows} Windows, 64-bit \IM{64-bit Windows} Windows, 64-bit
\IM{Windows process ACL} Windows process ACL
\IM{Windows process ACL} process ACL (Windows)
\IM{Windows process ACL} ACL, process (Windows)

22
doc/using.but
View File

@ -1012,15 +1012,15 @@ See \k{config-proxy-type} for more information on this, and on other
proxy settings. proxy settings.
\S2{using-cmdline-restrict-acl} \i\c{-restrict-acl}: restrict the \S2{using-cmdline-restrict-acl} \i\c{-restrict-acl}: restrict the
Windows process ACL \i{Windows process ACL}
This option (on Windows only) causes PuTTY to try to lock down the This option (on Windows only) causes PuTTY (or another PuTTY tool) to
operating system's access control on its own process. If this try to lock down the operating system's access control on its own
succeeds, it should present an extra obstacle to malware that has process. If this succeeds, it should present an extra obstacle to
managed to run under the same user id as the PuTTY process, by malware that has managed to run under the same user id as the PuTTY
preventing it from attaching to PuTTY using the same interfaces process, by preventing it from attaching to PuTTY using the same
debuggers use and either reading sensitive information out of its interfaces debuggers use and either reading sensitive information out
memory or hijacking its network session. of its memory or hijacking its network session.
This option is not enabled by default, because this form of This option is not enabled by default, because this form of
interaction between Windows programs has many legitimate uses, interaction between Windows programs has many legitimate uses,
@ -1031,3 +1031,9 @@ up, and malware could still get in if it attacks the process between
startup and lockdown. So it trades away noticeable convenience, and startup and lockdown. So it trades away noticeable convenience, and
delivers less real security than you might want. However, if you do delivers less real security than you might want. However, if you do
want to make that tradeoff anyway, the option is available. want to make that tradeoff anyway, the option is available.
A PuTTY process started with \c{-restrict-acl} will pass that on to
any processes started with Duplicate Session, New Session etc.
(However, if you're invoking PuTTY tools explicitly, for instance as a
proxy command, you'll need to arrange to pass them the
\c{-restrict-acl} option yourself, if that's what you want.)