aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--winsup/cygwin/security.cc10
-rw-r--r--winsup/cygwin/syscalls.cc29
2 files changed, 16 insertions, 23 deletions
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index 9b8c6da..745fa0c 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -815,8 +815,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
PTOKEN_PRIVILEGES privs = NULL;
TOKEN_OWNER owner;
TOKEN_PRIMARY_GROUP pgrp;
- char acl_buf[MAX_DACL_LEN (5)];
- TOKEN_DEFAULT_DACL dacl;
+ TOKEN_DEFAULT_DACL dacl = {};
TOKEN_SOURCE source;
TOKEN_STATISTICS stats;
memcpy (source.SourceName, "Cygwin.1", 8);
@@ -905,13 +904,6 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
if (!(privs = get_priv_list (lsa, usersid, tmp_gsids)))
goto out;
- /* Create default dacl. */
- if (!sec_acl ((PACL) acl_buf, false, false,
- tmp_gsids.contains (well_known_admins_sid) ?
- well_known_admins_sid : usersid))
- goto out;
- dacl.DefaultDacl = (PACL) acl_buf;
-
/* Let's be heroic... */
ret = NtCreateToken (&token, TOKEN_ALL_ACCESS, &oa, TokenImpersonation,
&auth_luid, &exp, &user, new_tok_gsids, privs, &owner,
diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc
index 3444bab..0940ad0 100644
--- a/winsup/cygwin/syscalls.cc
+++ b/winsup/cygwin/syscalls.cc
@@ -2121,6 +2121,8 @@ seteuid32 (__uid32_t uid)
HANDLE ptok, new_token = INVALID_HANDLE_VALUE;
struct passwd * pw_new;
BOOL token_is_internal, issamesid;
+ char dacl_buf[MAX_DACL_LEN (5)];
+ TOKEN_DEFAULT_DACL tdacl = {};
pw_new = internal_getpwuid (uid);
if (!wincap.has_security () && pw_new)
@@ -2161,18 +2163,13 @@ seteuid32 (__uid32_t uid)
debug_printf ("Found token %d", new_token);
/* Set process def dacl to allow access to impersonated token */
- if (cygheap->user.current_token != new_token)
+ if (sec_acl ((PACL) dacl_buf, true, true, usersid))
{
- char dacl_buf[MAX_DACL_LEN (5)];
- if (sec_acl ((PACL) dacl_buf, true, false, usersid))
- {
- TOKEN_DEFAULT_DACL tdacl;
- tdacl.DefaultDacl = (PACL) dacl_buf;
- if (!SetTokenInformation (ptok, TokenDefaultDacl,
- &tdacl, sizeof dacl_buf))
- debug_printf ("SetTokenInformation"
- "(TokenDefaultDacl): %E");
- }
+ tdacl.DefaultDacl = (PACL) dacl_buf;
+ if (!SetTokenInformation (ptok, TokenDefaultDacl,
+ &tdacl, sizeof dacl_buf))
+ debug_printf ("SetTokenInformation"
+ "(TokenDefaultDacl): %E");
}
/* If no impersonation token is available, try to
@@ -2193,7 +2190,7 @@ seteuid32 (__uid32_t uid)
CloseHandle (cygheap->user.internal_token);
cygheap->user.internal_token = new_token;
}
- else if (new_token != ptok)
+ if (new_token != ptok)
{
/* Avoid having HKCU use default user */
load_registry_hive (usersid);
@@ -2204,11 +2201,15 @@ seteuid32 (__uid32_t uid)
debug_printf ("SetTokenInformation(user.token, "
"TokenOwner): %E");
/* Try setting primary group in token to current group */
- if (!SetTokenInformation (new_token,
- TokenPrimaryGroup,
+ if (!SetTokenInformation (new_token, TokenPrimaryGroup,
&groups.pgsid, sizeof (cygsid)))
debug_printf ("SetTokenInformation(user.token, "
"TokenPrimaryGroup): %E");
+ /* Try setting default DACL */
+ if (tdacl.DefaultDacl
+ && !SetTokenInformation (new_token, TokenDefaultDacl,
+ &tdacl, sizeof (tdacl)))
+ debug_printf ("SetTokenInformation (TokenDefaultDacl): %E");
}
CloseHandle (ptok);