diff options
author | Corinna Vinschen <corinna@vinschen.de> | 2006-07-14 13:03:11 +0000 |
---|---|---|
committer | Corinna Vinschen <corinna@vinschen.de> | 2006-07-14 13:03:11 +0000 |
commit | e0295cab95407144e9191380e5390374a0efd64c (patch) | |
tree | 3ca4aef552530f0da516e83046ae1b15838589ef | |
parent | 8df546e3a580112b0c17a2bd29f7efc2aa279ee0 (diff) | |
download | newlib-e0295cab95407144e9191380e5390374a0efd64c.zip newlib-e0295cab95407144e9191380e5390374a0efd64c.tar.gz newlib-e0295cab95407144e9191380e5390374a0efd64c.tar.bz2 |
* security.cc (get_token_group_sidlist): Always add the interactive
group to the token. Add comment. Create logon_id group SID by
copying it from incoming group list.
(create_token): Add subauth_token parameter. Use information in
subauth_token if present. Tweak SourceIdentifier if subauth_token
is present for debugging purposes.
* security.h (create_token): Add subauth_token parameter in declaration.
* syscalls.cc (seteuid32): Call subauth first. Call create_token
regardless. Use subauth token in call to create_token if subauth
succeeded.
-rw-r--r-- | winsup/cygwin/ChangeLog | 13 | ||||
-rw-r--r-- | winsup/cygwin/security.cc | 68 | ||||
-rw-r--r-- | winsup/cygwin/security.h | 3 | ||||
-rw-r--r-- | winsup/cygwin/syscalls.cc | 19 |
4 files changed, 81 insertions, 22 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index e4a8605..86400b6 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,16 @@ +2006-07-14 Corinna Vinschen <corinna@vinschen.de> + + * security.cc (get_token_group_sidlist): Always add the interactive + group to the token. Add comment. Create logon_id group SID by + copying it from incoming group list. + (create_token): Add subauth_token parameter. Use information in + subauth_token if present. Tweak SourceIdentifier if subauth_token + is present for debugging purposes. + * security.h (create_token): Add subauth_token parameter in declaration. + * syscalls.cc (seteuid32): Call subauth first. Call create_token + regardless. Use subauth token in call to create_token if subauth + succeeded. + 2006-07-13 Christopher Faylor <cgf@timesys.com> * sigproc.cc (waitq_head): Don't initialize to zero. diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index 6dc9107..0970805 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -501,7 +501,11 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps, grp_list += well_known_network_sid; if (sid_in_token_groups (my_grps, well_known_batch_sid)) grp_list += well_known_batch_sid; - if (sid_in_token_groups (my_grps, well_known_interactive_sid)) + /* This is a problem on 2K3 (only domain controllers?!?) which only + enables tools for selected special groups. A subauth token is + only NETWORK, but NETWORK has no access to these tools. Therefore + we always add INTERACTIVE here. */ + /*if (sid_in_token_groups (my_grps, well_known_interactive_sid))*/ grp_list += well_known_interactive_sid; if (sid_in_token_groups (my_grps, well_known_service_sid)) grp_list += well_known_service_sid; @@ -513,11 +517,13 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps, } if (get_ll (auth_luid) != 999LL) /* != SYSTEM_LUID */ { - char buf[64]; - __small_sprintf (buf, "S-1-5-5-%u-%u", auth_luid.HighPart, - auth_luid.LowPart); - grp_list += buf; - auth_pos = grp_list.count - 1; + for (DWORD i = 0; i < my_grps->GroupCount; ++i) + if (my_grps->Groups[i].Attributes & SE_GROUP_LOGON_ID) + { + grp_list += my_grps->Groups[i].Sid; + auth_pos = grp_list.count - 1; + break; + } } } @@ -810,7 +816,8 @@ done: } HANDLE -create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) +create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw, + HANDLE subauth_token) { NTSTATUS ret; LSA_HANDLE lsa = INVALID_HANDLE_VALUE; @@ -833,7 +840,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) TOKEN_STATISTICS stats; memcpy (source.SourceName, "Cygwin.1", 8); source.SourceIdentifier.HighPart = 0; - source.SourceIdentifier.LowPart = 0x0101; + source.SourceIdentifier.LowPart = (subauth_token ? 0x0102 : 0x0101); HANDLE token = INVALID_HANDLE_VALUE; HANDLE primary_token = INVALID_HANDLE_VALUE; @@ -854,33 +861,60 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) owner.Owner = usersid; /* Retrieve authentication id and group list from own process. */ - if (hProcToken) + HANDLE get_token; + if (subauth_token) + { + debug_printf ("get_token = subauth_token"); + get_token = subauth_token; + } + else + { + debug_printf ("get_token = hProcToken"); + get_token = hProcToken; + } + if (get_token) { /* Switching user context to SYSTEM doesn't inherit the authentication id of the user account running current process. */ if (usersid != well_known_system_sid) - if (!GetTokenInformation (hProcToken, TokenStatistics, + if (!GetTokenInformation (get_token, TokenStatistics, &stats, sizeof stats, &size)) debug_printf - ("GetTokenInformation(hProcToken, TokenStatistics), %E"); + ("GetTokenInformation(get_token, TokenStatistics), %E"); else auth_luid = stats.AuthenticationId; /* Retrieving current processes group list to be able to inherit some important well known group sids. */ - if (!GetTokenInformation (hProcToken, TokenGroups, NULL, 0, &size) && - GetLastError () != ERROR_INSUFFICIENT_BUFFER) - debug_printf ("GetTokenInformation(hProcToken, TokenGroups), %E"); + if (!GetTokenInformation (get_token, TokenGroups, NULL, 0, &size) + && GetLastError () != ERROR_INSUFFICIENT_BUFFER) + debug_printf ("GetTokenInformation(get_token, TokenGroups), %E"); else if (!(my_tok_gsids = (PTOKEN_GROUPS) malloc (size))) debug_printf ("malloc (my_tok_gsids) failed."); - else if (!GetTokenInformation (hProcToken, TokenGroups, my_tok_gsids, + else if (!GetTokenInformation (get_token, TokenGroups, my_tok_gsids, size, &size)) { - debug_printf ("GetTokenInformation(hProcToken, TokenGroups), %E"); + debug_printf ("GetTokenInformation(get_token, TokenGroups), %E"); free (my_tok_gsids); my_tok_gsids = NULL; } } + if (subauth_token) + { + if (!GetTokenInformation (subauth_token, TokenPrivileges, NULL, 0, &size) + && GetLastError () != ERROR_INSUFFICIENT_BUFFER) + debug_printf ("GetTokenInformation(subauth_token, TokenPrivileges), %E"); + else if (!(privs = (PTOKEN_PRIVILEGES) malloc (size))) + debug_printf ("malloc (privs) failed."); + else if (!GetTokenInformation (subauth_token, TokenPrivileges, privs, + size, &size)) + { + debug_printf ("GetTokenInformation(subauth_token, TokenPrivileges), %E"); + free (privs); + privs = NULL; + } + } + /* Create list of groups, the user is member in. */ int auth_pos; @@ -908,7 +942,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) new_tok_gsids->Groups[auth_pos].Attributes |= SE_GROUP_LOGON_ID; /* Retrieve list of privileges of that user. */ - if (!(privs = get_priv_list (lsa, usersid, tmp_gsids))) + if (!privs && !(privs = get_priv_list (lsa, usersid, tmp_gsids))) goto out; /* Let's be heroic... */ diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h index 3155ec6..ef0871f 100644 --- a/winsup/cygwin/security.h +++ b/winsup/cygwin/security.h @@ -322,7 +322,8 @@ void __stdcall str2uni_cat (_UNICODE_STRING &, const char *) __attribute__ ((reg /* Try a subauthentication. */ HANDLE subauth (struct passwd *pw); /* Try creating a token directly. */ -HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw); +HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw, + HANDLE subauth_token); /* Verify an existing token */ bool verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern = NULL); /* Get groups of a user */ diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc index 6faa09f..a8b7aa8 100644 --- a/winsup/cygwin/syscalls.cc +++ b/winsup/cygwin/syscalls.cc @@ -2172,18 +2172,29 @@ seteuid32 (__uid32_t uid) authenticate using NtCreateToken () or subauthentication. */ if (new_token == INVALID_HANDLE_VALUE) { - new_token = create_token (usersid, groups, pw_new); + new_token = subauth (pw_new); if (new_token == INVALID_HANDLE_VALUE) { - /* create_token failed. Try subauthentication. */ - debug_printf ("create token failed, try subauthentication."); - new_token = subauth (pw_new); + debug_printf ("subauthentication failed, try create token."); + new_token = create_token (usersid, groups, pw_new, NULL); if (new_token == INVALID_HANDLE_VALUE) { cygheap->user.reimpersonate (); return -1; } } + else + { + debug_printf ("subauthentication succeeded, try create token."); + HANDLE new_token2 = create_token (usersid, groups, pw_new, new_token); + if (new_token2 == INVALID_HANDLE_VALUE) + debug_printf ("create token failed, use original token"); + else + { + CloseHandle (new_token); + new_token = new_token2; + } + } /* Keep at most one internal token */ if (cygheap->user.internal_token != NO_IMPERSONATION) CloseHandle (cygheap->user.internal_token); |