* include/sys/cygwin.h: Add new cygwin_getinfo_type
CW_SET_EXTERNAL_TOKEN. Add new enum CW_TOKEN_IMPERSONATION, CW_TOKEN_RESTRICTED. * cygheap.h (cyguser): New flags ext_token_is_restricted, curr_token_is_restricted and setuid_to_restricted. * external.cc (cygwin_internal): Add CW_SET_EXTERNAL_TOKEN. * sec_auth.cc (set_imp_token): New function. (cygwin_set_impersonation_token): Call set_imp_token (). * security.h (set_imp_token): New prototype. * spawn.cc (spawn_guts): Use CreateProcessAsUserW if restricted token was enabled by setuid(). Do not create new window station in this case. * syscalls.cc (seteuid32): Add handling of restricted external tokens. Set HANDLE_FLAG_INHERIT for primary token. (setuid32): Set setuid_to_restricted flag. * uinfo.cc (uinfo_init): Do not reimpersonate if restricted token was enabled by setuid (). Initialize user.*_restricted flags.
This commit is contained in:
@@ -537,7 +537,8 @@ loop:
|
||||
if (!cygheap->user.issetuid ()
|
||||
|| (cygheap->user.saved_uid == cygheap->user.real_uid
|
||||
&& cygheap->user.saved_gid == cygheap->user.real_gid
|
||||
&& !cygheap->user.groups.issetgroups ()))
|
||||
&& !cygheap->user.groups.issetgroups ()
|
||||
&& !cygheap->user.setuid_to_restricted))
|
||||
{
|
||||
rc = CreateProcessW (runpath, /* image name - with full path */
|
||||
wone_line, /* what was passed to exec */
|
||||
@@ -571,7 +572,8 @@ loop:
|
||||
risk, but we don't want to disable this behaviour for older
|
||||
OSes because it's still heavily used by some users. They have
|
||||
been warned. */
|
||||
if (wcscasecmp (wstname, L"WinSta0") != 0)
|
||||
if (!cygheap->user.setuid_to_restricted
|
||||
&& wcscasecmp (wstname, L"WinSta0") != 0)
|
||||
{
|
||||
WCHAR sid[128];
|
||||
|
||||
|
Reference in New Issue
Block a user