diff options
author | Corinna Vinschen <corinna@vinschen.de> | 2004-02-06 10:37:37 +0000 |
---|---|---|
committer | Corinna Vinschen <corinna@vinschen.de> | 2004-02-06 10:37:37 +0000 |
commit | 043878df18006f7243ae2547bcb0c9c43404fa82 (patch) | |
tree | 9098f5273fe63ddfcb7fca66017e81d28eceb3e5 /winsup | |
parent | 4ea8488c702529fd5e5bd32c2e7b624be8bad81b (diff) | |
download | newlib-043878df18006f7243ae2547bcb0c9c43404fa82.zip newlib-043878df18006f7243ae2547bcb0c9c43404fa82.tar.gz newlib-043878df18006f7243ae2547bcb0c9c43404fa82.tar.bz2 |
* uinfo.cc (cygheap_user::init): Use sec_user_nih to build a
security descriptor. Set both the process and the default DACLs.
* fork.cc (fork_parent): Use sec_none_nih security attributes.
* spawn.cc (spawn_guts): Ditto.
Diffstat (limited to 'winsup')
-rw-r--r-- | winsup/cygwin/ChangeLog | 7 | ||||
-rw-r--r-- | winsup/cygwin/fork.cc | 6 | ||||
-rw-r--r-- | winsup/cygwin/spawn.cc | 15 | ||||
-rw-r--r-- | winsup/cygwin/uinfo.cc | 45 |
4 files changed, 30 insertions, 43 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index e467112..0aac1ab 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,10 @@ +2004-02-06 Pierre Humblet <pierre.humblet@ieee.org> + + * uinfo.cc (cygheap_user::init): Use sec_user_nih to build a + security descriptor. Set both the process and the default DACLs. + * fork.cc (fork_parent): Use sec_none_nih security attributes. + * spawn.cc (spawn_guts): Ditto. + 2004-02-05 Christopher Faylor <cgf@redhat.com> * cygwin.din: Make many more functions SIGFE. diff --git a/winsup/cygwin/fork.cc b/winsup/cygwin/fork.cc index 681675a..8a5e5bf 100644 --- a/winsup/cygwin/fork.cc +++ b/winsup/cygwin/fork.cc @@ -456,8 +456,6 @@ fork_parent (HANDLE& hParent, dll *&first_dll, out: #endif - char sa_buf[1024]; - PSECURITY_ATTRIBUTES sec_attribs = sec_user_nih (sa_buf); syscall_printf ("CreateProcess (%s, %s, 0, 0, 1, %x, 0, 0, %p, %p)", myself->progname, myself->progname, c_flags, &si, &pi); __malloc_lock (); @@ -465,8 +463,8 @@ fork_parent (HANDLE& hParent, dll *&first_dll, newheap = cygheap_setup_for_child (&ch, cygheap->fdtab.need_fixup_before ()); rc = CreateProcess (myself->progname, /* image to run */ myself->progname, /* what we send in arg0 */ - sec_attribs, - sec_attribs, + &sec_none_nih, + &sec_none_nih, TRUE, /* inherit handles from parent */ c_flags, NULL, /* environment filled in later */ diff --git a/winsup/cygwin/spawn.cc b/winsup/cygwin/spawn.cc index e5246b8..bfb94bd 100644 --- a/winsup/cygwin/spawn.cc +++ b/winsup/cygwin/spawn.cc @@ -639,8 +639,6 @@ spawn_guts (const char * prog_arg, const char *const *argv, syscall_printf ("null_app_name %d (%s, %.9500s)", null_app_name, runpath, one_line.buf); void *newheap; - /* Preallocated buffer for `sec_user' call */ - char sa_buf[1024]; cygbench ("spawn-guts"); @@ -656,14 +654,13 @@ spawn_guts (const char * prog_arg, const char *const *argv, && cygheap->user.saved_gid == cygheap->user.real_gid && !cygheap->user.groups.issetgroups ())) { - PSECURITY_ATTRIBUTES sec_attribs = sec_user_nih (sa_buf); ciresrv.moreinfo->envp = build_env (envp, envblock, ciresrv.moreinfo->envc, real_path.iscygexec ()); newheap = cygheap_setup_for_child (&ciresrv, cygheap->fdtab.need_fixup_before ()); rc = CreateProcess (runpath, /* image name - with full path */ one_line.buf, /* what was passed to exec */ - sec_attribs, /* process security attrs */ - sec_attribs, /* thread security attrs */ + &sec_none_nih,/* process security attrs */ + &sec_none_nih,/* thread security attrs */ TRUE, /* inherit handles from parent */ flags, envblock, /* environment */ @@ -673,14 +670,10 @@ spawn_guts (const char * prog_arg, const char *const *argv, } else { - PSID sid = cygheap->user.sid (); /* Give access to myself */ if (mode == _P_OVERLAY) myself.set_acl(); - /* Set security attributes with sid */ - PSECURITY_ATTRIBUTES sec_attribs = sec_user_nih (sa_buf, sid); - /* allow the child to interact with our window station/desktop */ HANDLE hwst, hdsk; SECURITY_INFORMATION dsi = DACL_SECURITY_INFORMATION; @@ -704,8 +697,8 @@ spawn_guts (const char * prog_arg, const char *const *argv, rc = CreateProcessAsUser (cygheap->user.token (), runpath, /* image name - with full path */ one_line.buf, /* what was passed to exec */ - sec_attribs, /* process security attrs */ - sec_attribs, /* thread security attrs */ + &sec_none_nih, /* process security attrs */ + &sec_none_nih, /* thread security attrs */ TRUE, /* inherit handles from parent */ flags, envblock, /* environment */ diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc index 81dd7f4..62ed0f2 100644 --- a/winsup/cygwin/uinfo.cc +++ b/winsup/cygwin/uinfo.cc @@ -46,8 +46,7 @@ cygheap_user::init () HANDLE ptok; DWORD siz; - char pdacl_buf [sizeof (PTOKEN_DEFAULT_DACL) + ACL_DEFAULT_SIZE]; - PTOKEN_DEFAULT_DACL pdacl = (PTOKEN_DEFAULT_DACL) pdacl_buf; + PSECURITY_DESCRIPTOR psd; if (!OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT | TOKEN_QUERY, &ptok)) @@ -70,34 +69,24 @@ cygheap_user::init () if (!SetTokenInformation (ptok, TokenOwner, &effec_cygsid, sizeof (cygsid))) debug_printf ("SetTokenInformation(TokenOwner): %E"); - /* Add the user in the default DACL if needed */ - if (!GetTokenInformation (ptok, TokenDefaultDacl, pdacl, sizeof (pdacl_buf), &siz)) - system_printf ("GetTokenInformation (TokenDefaultDacl): %E"); - else if (pdacl->DefaultDacl) /* Running with security */ + /* Standard way to build a security descriptor with the usual DACL */ + char sa_buf[1024]; + psd = (PSECURITY_DESCRIPTOR) (sec_user_nih (sa_buf, sid()))->lpSecurityDescriptor; + + BOOL acl_exists, dummy; + TOKEN_DEFAULT_DACL dacl; + if (GetSecurityDescriptorDacl (psd, &acl_exists, + &dacl.DefaultDacl, &dummy) + && acl_exists && dacl.DefaultDacl) { - PACL pAcl = pdacl->DefaultDacl; - PACCESS_ALLOWED_ACE pAce; - - for (int i = 0; i < pAcl->AceCount; i++) - { - if (!GetAce (pAcl, i, (LPVOID *) &pAce)) - system_printf ("GetAce: %E"); - else if (pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE - && effec_cygsid == &pAce->SidStart) - goto out; - } - pAcl->AclSize = &pdacl_buf[sizeof (pdacl_buf)] - (char *) pAcl; - if (!AddAccessAllowedAce (pAcl, ACL_REVISION, GENERIC_ALL, effec_cygsid)) - system_printf ("AddAccessAllowedAce: %E"); - else if (FindFirstFreeAce (pAcl, (LPVOID *) &pAce), !(pAce)) - debug_printf ("FindFirstFreeAce %E"); - else - { - pAcl->AclSize = (char *) pAce - (char *) pAcl; - if (!SetTokenInformation (ptok, TokenDefaultDacl, pdacl, sizeof (* pdacl))) - system_printf ("SetTokenInformation (TokenDefaultDacl): %E"); - } + /* Set the default DACL and the process DACL */ + if (!SetTokenInformation (ptok, TokenDefaultDacl, &dacl, sizeof (dacl))) + system_printf ("SetTokenInformation (TokenDefaultDacl): %E"); + if (!SetKernelObjectSecurity (hMainProc, DACL_SECURITY_INFORMATION, psd)) + system_printf ("SetKernelObjectSecurity: %E"); } + else + system_printf("Cannot get dacl: %E"); out: CloseHandle (ptok); } |