* security.h: Add third argument to set_process_privilege.

* autoload.cc: Add OpenThreadToken.
	* sec_helper.cc (set_process_privilege): Add and use use_thread
	argument.
	* security.cc (alloc_sd): Modify call to set_process_privilege.
	Remember the result in each process. If failed and file owner is not
	the user, fail.
This commit is contained in:
Corinna Vinschen
2003-02-03 15:55:20 +00:00
parent f0f3ea68f3
commit 153e83c605
5 changed files with 33 additions and 8 deletions

View File

@@ -1,3 +1,13 @@
2003-02-03 Pierre Humblet <pierre.humblet@ieee.org>
* security.h: Add third argument to set_process_privilege.
* autoload.cc: Add OpenThreadToken.
* sec_helper.cc (set_process_privilege): Add and use use_thread
argument.
* security.cc (alloc_sd): Modify call to set_process_privilege.
Remember the result in each process. If failed and file owner is not
the user, fail.
2003-02-03 Corinna Vinschen <corinna@vinschen.de> 2003-02-03 Corinna Vinschen <corinna@vinschen.de>
* fhandler_socket.cc (fhandler_socket::recvfrom): Return buffer * fhandler_socket.cc (fhandler_socket::recvfrom): Return buffer

View File

@@ -352,6 +352,7 @@ LoadDLLfunc (LsaOpenPolicy, 16, advapi32)
LoadDLLfunc (LsaQueryInformationPolicy, 12, advapi32) LoadDLLfunc (LsaQueryInformationPolicy, 12, advapi32)
LoadDLLfunc (MakeSelfRelativeSD, 12, advapi32) LoadDLLfunc (MakeSelfRelativeSD, 12, advapi32)
LoadDLLfunc (OpenProcessToken, 12, advapi32) LoadDLLfunc (OpenProcessToken, 12, advapi32)
LoadDLLfunc (OpenThreadToken, 16, advapi32)
LoadDLLfunc (RegCloseKey, 4, advapi32) LoadDLLfunc (RegCloseKey, 4, advapi32)
LoadDLLfunc (RegCreateKeyExA, 36, advapi32) LoadDLLfunc (RegCreateKeyExA, 36, advapi32)
LoadDLLfunc (RegDeleteKeyA, 8, advapi32) LoadDLLfunc (RegDeleteKeyA, 8, advapi32)

View File

@@ -294,7 +294,7 @@ got_it:
#endif //unused #endif //unused
int int
set_process_privilege (const char *privilege, BOOL enable) set_process_privilege (const char *privilege, bool enable, bool use_thread)
{ {
HANDLE hToken = NULL; HANDLE hToken = NULL;
LUID restore_priv; LUID restore_priv;
@@ -302,8 +302,12 @@ set_process_privilege (const char *privilege, BOOL enable)
int ret = -1; int ret = -1;
DWORD size; DWORD size;
if (!OpenProcessToken (hMainProc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, if ((use_thread
&hToken)) && !OpenThreadToken (GetCurrentThread (), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
0, &hToken))
||(!use_thread
&& !OpenProcessToken (hMainProc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
&hToken)))
{ {
__seterrno (); __seterrno ();
goto out; goto out;
@@ -329,7 +333,6 @@ set_process_privilege (const char *privilege, BOOL enable)
be enabled. GetLastError () returns an correct error code, though. */ be enabled. GetLastError () returns an correct error code, though. */
if (enable && GetLastError () == ERROR_NOT_ALL_ASSIGNED) if (enable && GetLastError () == ERROR_NOT_ALL_ASSIGNED)
{ {
debug_printf ("Privilege %s couldn't be assigned", privilege);
__seterrno (); __seterrno ();
goto out; goto out;
} }

View File

@@ -1563,9 +1563,20 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
} }
owner_sid.debug_print ("alloc_sd: owner SID ="); owner_sid.debug_print ("alloc_sd: owner SID =");
/* Must have SE_RESTORE_NAME privilege to change owner */ /* Try turning privilege on, may not have WRITE_OWNER or WRITE_DAC access.
if (cur_owner_sid && owner_sid != cur_owner_sid Must have privilege to set different owner, else BackupWrite misbehaves */
&& set_process_privilege (SE_RESTORE_NAME) < 0 ) static int NO_COPY saved_res; /* 0: never, 1: failed, 2 & 3: OK */
int res;
if (!saved_res || cygheap->user.issetuid ())
{
res = 2 + set_process_privilege (SE_RESTORE_NAME, true,
cygheap->user.issetuid ());
if (!cygheap->user.issetuid ())
saved_res = res;
}
else
res = saved_res;
if (res == 1 && owner_sid != cygheap->user.sid ())
return NULL; return NULL;
/* Get SID of new group. */ /* Get SID of new group. */

View File

@@ -236,7 +236,7 @@ BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL
/* sec_helper.cc: Security helper functions. */ /* sec_helper.cc: Security helper functions. */
BOOL __stdcall is_grp_member (__uid32_t uid, __gid32_t gid); BOOL __stdcall is_grp_member (__uid32_t uid, __gid32_t gid);
int set_process_privilege (const char *privilege, BOOL enable = TRUE); int set_process_privilege (const char *privilege, bool enable = true, bool use_thread = false);
/* shared.cc: */ /* shared.cc: */
/* Retrieve a security descriptor that allows all access */ /* Retrieve a security descriptor that allows all access */