aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCorinna Vinschen <corinna@vinschen.de>2006-07-14 13:03:11 +0000
committerCorinna Vinschen <corinna@vinschen.de>2006-07-14 13:03:11 +0000
commite0295cab95407144e9191380e5390374a0efd64c (patch)
tree3ca4aef552530f0da516e83046ae1b15838589ef
parent8df546e3a580112b0c17a2bd29f7efc2aa279ee0 (diff)
downloadnewlib-e0295cab95407144e9191380e5390374a0efd64c.zip
newlib-e0295cab95407144e9191380e5390374a0efd64c.tar.gz
newlib-e0295cab95407144e9191380e5390374a0efd64c.tar.bz2
* security.cc (get_token_group_sidlist): Always add the interactive
group to the token. Add comment. Create logon_id group SID by copying it from incoming group list. (create_token): Add subauth_token parameter. Use information in subauth_token if present. Tweak SourceIdentifier if subauth_token is present for debugging purposes. * security.h (create_token): Add subauth_token parameter in declaration. * syscalls.cc (seteuid32): Call subauth first. Call create_token regardless. Use subauth token in call to create_token if subauth succeeded.
-rw-r--r--winsup/cygwin/ChangeLog13
-rw-r--r--winsup/cygwin/security.cc68
-rw-r--r--winsup/cygwin/security.h3
-rw-r--r--winsup/cygwin/syscalls.cc19
4 files changed, 81 insertions, 22 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index e4a8605..86400b6 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,16 @@
+2006-07-14 Corinna Vinschen <corinna@vinschen.de>
+
+ * security.cc (get_token_group_sidlist): Always add the interactive
+ group to the token. Add comment. Create logon_id group SID by
+ copying it from incoming group list.
+ (create_token): Add subauth_token parameter. Use information in
+ subauth_token if present. Tweak SourceIdentifier if subauth_token
+ is present for debugging purposes.
+ * security.h (create_token): Add subauth_token parameter in declaration.
+ * syscalls.cc (seteuid32): Call subauth first. Call create_token
+ regardless. Use subauth token in call to create_token if subauth
+ succeeded.
+
2006-07-13 Christopher Faylor <cgf@timesys.com>
* sigproc.cc (waitq_head): Don't initialize to zero.
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index 6dc9107..0970805 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -501,7 +501,11 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
grp_list += well_known_network_sid;
if (sid_in_token_groups (my_grps, well_known_batch_sid))
grp_list += well_known_batch_sid;
- if (sid_in_token_groups (my_grps, well_known_interactive_sid))
+ /* This is a problem on 2K3 (only domain controllers?!?) which only
+ enables tools for selected special groups. A subauth token is
+ only NETWORK, but NETWORK has no access to these tools. Therefore
+ we always add INTERACTIVE here. */
+ /*if (sid_in_token_groups (my_grps, well_known_interactive_sid))*/
grp_list += well_known_interactive_sid;
if (sid_in_token_groups (my_grps, well_known_service_sid))
grp_list += well_known_service_sid;
@@ -513,11 +517,13 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
}
if (get_ll (auth_luid) != 999LL) /* != SYSTEM_LUID */
{
- char buf[64];
- __small_sprintf (buf, "S-1-5-5-%u-%u", auth_luid.HighPart,
- auth_luid.LowPart);
- grp_list += buf;
- auth_pos = grp_list.count - 1;
+ for (DWORD i = 0; i < my_grps->GroupCount; ++i)
+ if (my_grps->Groups[i].Attributes & SE_GROUP_LOGON_ID)
+ {
+ grp_list += my_grps->Groups[i].Sid;
+ auth_pos = grp_list.count - 1;
+ break;
+ }
}
}
@@ -810,7 +816,8 @@ done:
}
HANDLE
-create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
+create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw,
+ HANDLE subauth_token)
{
NTSTATUS ret;
LSA_HANDLE lsa = INVALID_HANDLE_VALUE;
@@ -833,7 +840,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
TOKEN_STATISTICS stats;
memcpy (source.SourceName, "Cygwin.1", 8);
source.SourceIdentifier.HighPart = 0;
- source.SourceIdentifier.LowPart = 0x0101;
+ source.SourceIdentifier.LowPart = (subauth_token ? 0x0102 : 0x0101);
HANDLE token = INVALID_HANDLE_VALUE;
HANDLE primary_token = INVALID_HANDLE_VALUE;
@@ -854,33 +861,60 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
owner.Owner = usersid;
/* Retrieve authentication id and group list from own process. */
- if (hProcToken)
+ HANDLE get_token;
+ if (subauth_token)
+ {
+ debug_printf ("get_token = subauth_token");
+ get_token = subauth_token;
+ }
+ else
+ {
+ debug_printf ("get_token = hProcToken");
+ get_token = hProcToken;
+ }
+ if (get_token)
{
/* Switching user context to SYSTEM doesn't inherit the authentication
id of the user account running current process. */
if (usersid != well_known_system_sid)
- if (!GetTokenInformation (hProcToken, TokenStatistics,
+ if (!GetTokenInformation (get_token, TokenStatistics,
&stats, sizeof stats, &size))
debug_printf
- ("GetTokenInformation(hProcToken, TokenStatistics), %E");
+ ("GetTokenInformation(get_token, TokenStatistics), %E");
else
auth_luid = stats.AuthenticationId;
/* Retrieving current processes group list to be able to inherit
some important well known group sids. */
- if (!GetTokenInformation (hProcToken, TokenGroups, NULL, 0, &size) &&
- GetLastError () != ERROR_INSUFFICIENT_BUFFER)
- debug_printf ("GetTokenInformation(hProcToken, TokenGroups), %E");
+ if (!GetTokenInformation (get_token, TokenGroups, NULL, 0, &size)
+ && GetLastError () != ERROR_INSUFFICIENT_BUFFER)
+ debug_printf ("GetTokenInformation(get_token, TokenGroups), %E");
else if (!(my_tok_gsids = (PTOKEN_GROUPS) malloc (size)))
debug_printf ("malloc (my_tok_gsids) failed.");
- else if (!GetTokenInformation (hProcToken, TokenGroups, my_tok_gsids,
+ else if (!GetTokenInformation (get_token, TokenGroups, my_tok_gsids,
size, &size))
{
- debug_printf ("GetTokenInformation(hProcToken, TokenGroups), %E");
+ debug_printf ("GetTokenInformation(get_token, TokenGroups), %E");
free (my_tok_gsids);
my_tok_gsids = NULL;
}
}
+ if (subauth_token)
+ {
+ if (!GetTokenInformation (subauth_token, TokenPrivileges, NULL, 0, &size)
+ && GetLastError () != ERROR_INSUFFICIENT_BUFFER)
+ debug_printf ("GetTokenInformation(subauth_token, TokenPrivileges), %E");
+ else if (!(privs = (PTOKEN_PRIVILEGES) malloc (size)))
+ debug_printf ("malloc (privs) failed.");
+ else if (!GetTokenInformation (subauth_token, TokenPrivileges, privs,
+ size, &size))
+ {
+ debug_printf ("GetTokenInformation(subauth_token, TokenPrivileges), %E");
+ free (privs);
+ privs = NULL;
+ }
+ }
+
/* Create list of groups, the user is member in. */
int auth_pos;
@@ -908,7 +942,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
new_tok_gsids->Groups[auth_pos].Attributes |= SE_GROUP_LOGON_ID;
/* Retrieve list of privileges of that user. */
- if (!(privs = get_priv_list (lsa, usersid, tmp_gsids)))
+ if (!privs && !(privs = get_priv_list (lsa, usersid, tmp_gsids)))
goto out;
/* Let's be heroic... */
diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h
index 3155ec6..ef0871f 100644
--- a/winsup/cygwin/security.h
+++ b/winsup/cygwin/security.h
@@ -322,7 +322,8 @@ void __stdcall str2uni_cat (_UNICODE_STRING &, const char *) __attribute__ ((reg
/* Try a subauthentication. */
HANDLE subauth (struct passwd *pw);
/* Try creating a token directly. */
-HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw);
+HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw,
+ HANDLE subauth_token);
/* Verify an existing token */
bool verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern = NULL);
/* Get groups of a user */
diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc
index 6faa09f..a8b7aa8 100644
--- a/winsup/cygwin/syscalls.cc
+++ b/winsup/cygwin/syscalls.cc
@@ -2172,18 +2172,29 @@ seteuid32 (__uid32_t uid)
authenticate using NtCreateToken () or subauthentication. */
if (new_token == INVALID_HANDLE_VALUE)
{
- new_token = create_token (usersid, groups, pw_new);
+ new_token = subauth (pw_new);
if (new_token == INVALID_HANDLE_VALUE)
{
- /* create_token failed. Try subauthentication. */
- debug_printf ("create token failed, try subauthentication.");
- new_token = subauth (pw_new);
+ debug_printf ("subauthentication failed, try create token.");
+ new_token = create_token (usersid, groups, pw_new, NULL);
if (new_token == INVALID_HANDLE_VALUE)
{
cygheap->user.reimpersonate ();
return -1;
}
}
+ else
+ {
+ debug_printf ("subauthentication succeeded, try create token.");
+ HANDLE new_token2 = create_token (usersid, groups, pw_new, new_token);
+ if (new_token2 == INVALID_HANDLE_VALUE)
+ debug_printf ("create token failed, use original token");
+ else
+ {
+ CloseHandle (new_token);
+ new_token = new_token2;
+ }
+ }
/* Keep at most one internal token */
if (cygheap->user.internal_token != NO_IMPERSONATION)
CloseHandle (cygheap->user.internal_token);