2003-09-26 Pierre Humblet <pierre.humblet@ieee.org>
* uinfo.cc (cygheap_user::init): Make sure the current user appears in the default DACL. Rearrange to decrease the indentation levels. Initialize the effec_cygsid directly. (internal_getlogin): Do not reinitialize myself->gid. Open the process token with the required access. * cygheap.h (class cygheap_user): Delete members pid and saved_psid. Create members effec_cygsid and saved_cygsid. (cygheap_user::set_sid): Define inline. (cygheap_user::set_saved_sid): Ditto. (cygheap_user::sid): Modify. (cygheap_user::saved_sid): Modify. * cygheap.cc (cygheap_user::set_sid): Delete. (cygheap_user::set_saved_sid): Ditto. * sec_helper.cc (sec_acl): Set the correct acl size. * autoload.cc (FindFirstFreeAce): Add. * security.h: Define ACL_DEFAULT_SIZE.
This commit is contained in:
Pierre Humblet
parent
349a6402fe
commit
6806a8b51f
@ -1,3 +1,22 @@
|
||||
2003-09-26 Pierre Humblet <pierre.humblet@ieee.org>
|
||||
|
||||
* uinfo.cc (cygheap_user::init): Make sure the current user appears
|
||||
in the default DACL. Rearrange to decrease the indentation levels.
|
||||
Initialize the effec_cygsid directly.
|
||||
(internal_getlogin): Do not reinitialize myself->gid. Open the process
|
||||
token with the required access.
|
||||
* cygheap.h (class cygheap_user): Delete members pid and saved_psid.
|
||||
Create members effec_cygsid and saved_cygsid.
|
||||
(cygheap_user::set_sid): Define inline.
|
||||
(cygheap_user::set_saved_sid): Ditto.
|
||||
(cygheap_user::sid): Modify.
|
||||
(cygheap_user::saved_sid): Modify.
|
||||
* cygheap.cc (cygheap_user::set_sid): Delete.
|
||||
(cygheap_user::set_saved_sid): Ditto.
|
||||
* sec_helper.cc (sec_acl): Set the correct acl size.
|
||||
* autoload.cc (FindFirstFreeAce): Add.
|
||||
* security.h: Define ACL_DEFAULT_SIZE.
|
||||
|
||||
2003-09-26 Corinna Vinschen <corinna@vinschen.de>
|
||||
|
||||
* mmap.cc (munmap): Use correct address and length parameters when
|
||||
|
||||
@ -320,6 +320,7 @@ LoadDLLfunc (DeregisterEventSource, 4, advapi32)
|
||||
LoadDLLfunc (DuplicateToken, 12, advapi32)
|
||||
LoadDLLfuncEx (DuplicateTokenEx, 24, advapi32, 1)
|
||||
LoadDLLfunc (EqualSid, 8, advapi32)
|
||||
LoadDLLfunc (FindFirstFreeAce, 8, advapi32)
|
||||
LoadDLLfunc (GetAce, 12, advapi32)
|
||||
LoadDLLfunc (GetFileSecurityA, 20, advapi32)
|
||||
LoadDLLfunc (GetKernelObjectSecurity, 20, advapi32)
|
||||
|
||||
@ -444,28 +444,3 @@ cygheap_user::set_name (const char *new_name)
|
||||
cfree_and_set (pwinname);
|
||||
}
|
||||
|
||||
BOOL
|
||||
cygheap_user::set_sid (PSID new_sid)
|
||||
{
|
||||
if (new_sid)
|
||||
{
|
||||
if (!psid)
|
||||
psid = cmalloc (HEAP_STR, MAX_SID_LEN);
|
||||
if (psid)
|
||||
return CopySid (MAX_SID_LEN, psid, new_sid);
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL
|
||||
cygheap_user::set_saved_sid ()
|
||||
{
|
||||
if (psid)
|
||||
{
|
||||
if (!saved_psid)
|
||||
saved_psid = cmalloc (HEAP_STR, MAX_SID_LEN);
|
||||
if (saved_psid)
|
||||
return CopySid (MAX_SID_LEN, saved_psid, psid);
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -106,8 +106,8 @@ class cygheap_user
|
||||
char *homepath; /* User's home path */
|
||||
char *pwinname; /* User's name as far as Windows knows it */
|
||||
char *puserprof; /* User profile */
|
||||
PSID psid; /* buffer for user's SID */
|
||||
PSID saved_psid; /* Remains intact even after impersonation */
|
||||
cygsid effec_cygsid; /* buffer for user's SID */
|
||||
cygsid saved_cygsid; /* Remains intact even after impersonation */
|
||||
public:
|
||||
__uid32_t saved_uid; /* Remains intact even after impersonation */
|
||||
__gid32_t saved_gid; /* Ditto */
|
||||
@ -160,10 +160,10 @@ public:
|
||||
const char *p = env_domain ("USERDOMAIN=", sizeof ("USERDOMAIN=") - 1);
|
||||
return (p == almost_null) ? NULL : p;
|
||||
}
|
||||
BOOL set_sid (PSID new_sid);
|
||||
BOOL set_saved_sid ();
|
||||
PSID sid () const { return psid; }
|
||||
PSID saved_sid () const { return saved_psid; }
|
||||
BOOL set_sid (PSID new_sid) {return (BOOL) (effec_cygsid = new_sid);}
|
||||
BOOL set_saved_sid () { return (BOOL) (saved_cygsid = effec_cygsid); }
|
||||
PSID sid () { return effec_cygsid; }
|
||||
PSID saved_sid () { return saved_cygsid; }
|
||||
const char *ontherange (homebodies what, struct passwd * = NULL);
|
||||
bool issetuid () const { return current_token != INVALID_HANDLE_VALUE; }
|
||||
HANDLE token () { return current_token; }
|
||||
|
||||
@ -375,6 +375,7 @@ BOOL
|
||||
sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD access2)
|
||||
{
|
||||
size_t acl_len = MAX_DACL_LEN(5);
|
||||
LPVOID pAce;
|
||||
cygpsid psid;
|
||||
|
||||
if (!InitializeAcl (acl, acl_len, ACL_REVISION))
|
||||
@ -402,6 +403,12 @@ sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD acces
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, well_known_system_sid))
|
||||
debug_printf ("AddAccessAllowedAce(system) %E");
|
||||
FindFirstFreeAce (acl, &pAce);
|
||||
if (pAce)
|
||||
acl->AclSize = (char *) pAce - (char *) acl;
|
||||
else
|
||||
debug_printf ("FindFirstFreeAce %E");
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ details. */
|
||||
#define MAX_SID_LEN 40
|
||||
#define MAX_DACL_LEN(n) (sizeof (ACL) \
|
||||
+ (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
|
||||
|
||||
#define ACL_DEFAULT_SIZE 3072
|
||||
#define NO_SID ((PSID)NULL)
|
||||
|
||||
class cygpsid {
|
||||
|
||||
@ -41,31 +41,65 @@ cygheap_user::init()
|
||||
|
||||
set_name (GetUserName (user_name, &user_name_len) ? user_name : "unknown");
|
||||
|
||||
if (wincap.has_security ())
|
||||
{
|
||||
HANDLE ptok = NULL;
|
||||
DWORD siz, ret;
|
||||
cygsid tu;
|
||||
if (!wincap.has_security ())
|
||||
return;
|
||||
|
||||
/* Get the SID from current process and store it in user.psid */
|
||||
if (!OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT | TOKEN_QUERY,
|
||||
&ptok))
|
||||
system_printf ("OpenProcessToken(): %E");
|
||||
else
|
||||
{
|
||||
if (!GetTokenInformation (ptok, TokenUser, &tu, sizeof tu, &siz))
|
||||
system_printf ("GetTokenInformation (TokenUser): %E");
|
||||
else if (!(ret = set_sid (tu)))
|
||||
system_printf ("Couldn't retrieve SID from access token!");
|
||||
/* Set token owner to the same value as token user */
|
||||
else if (!SetTokenInformation (ptok, TokenOwner, &tu, sizeof tu))
|
||||
debug_printf ("SetTokenInformation(TokenOwner): %E");
|
||||
if (!GetTokenInformation (ptok, TokenPrimaryGroup,
|
||||
&groups.pgsid, sizeof tu, &siz))
|
||||
system_printf ("GetTokenInformation (TokenPrimaryGroup): %E");
|
||||
CloseHandle (ptok);
|
||||
}
|
||||
HANDLE ptok;
|
||||
DWORD siz;
|
||||
char pdacl_buf [sizeof (PTOKEN_DEFAULT_DACL) + ACL_DEFAULT_SIZE];
|
||||
PTOKEN_DEFAULT_DACL pdacl = (PTOKEN_DEFAULT_DACL) pdacl_buf;
|
||||
|
||||
if (!OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT | TOKEN_QUERY,
|
||||
&ptok))
|
||||
{
|
||||
system_printf ("OpenProcessToken(): %E");
|
||||
return;
|
||||
}
|
||||
if (!GetTokenInformation (ptok, TokenPrimaryGroup,
|
||||
&groups.pgsid, sizeof (cygsid), &siz))
|
||||
system_printf ("GetTokenInformation (TokenPrimaryGroup): %E");
|
||||
|
||||
/* Get the SID from current process and store it in effec_cygsid */
|
||||
if (!GetTokenInformation (ptok, TokenUser, &effec_cygsid, sizeof (cygsid), &siz))
|
||||
{
|
||||
system_printf ("GetTokenInformation (TokenUser): %E");
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Set token owner to the same value as token user */
|
||||
if (!SetTokenInformation (ptok, TokenOwner, &effec_cygsid, sizeof (cygsid)))
|
||||
debug_printf ("SetTokenInformation(TokenOwner): %E");
|
||||
|
||||
/* Add the user in the default DACL if needed */
|
||||
if (!GetTokenInformation (ptok, TokenDefaultDacl, pdacl, sizeof (pdacl_buf), &siz))
|
||||
system_printf ("GetTokenInformation (TokenDefaultDacl): %E");
|
||||
else if (pdacl->DefaultDacl) /* Running with security */
|
||||
{
|
||||
PACL pAcl = pdacl->DefaultDacl;
|
||||
PACCESS_ALLOWED_ACE pAce;
|
||||
|
||||
for (int i = 0; i < pAcl->AceCount; i++)
|
||||
{
|
||||
if (!GetAce(pAcl, i, (LPVOID *) &pAce))
|
||||
system_printf ("GetAce: %E");
|
||||
else if (pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE
|
||||
&& effec_cygsid == &pAce->SidStart)
|
||||
goto out;
|
||||
}
|
||||
pAcl->AclSize = &pdacl_buf[sizeof (pdacl_buf)] - (char *) pAcl;
|
||||
if (!AddAccessAllowedAce (pAcl, ACL_REVISION, GENERIC_ALL, effec_cygsid))
|
||||
system_printf ("AddAccessAllowedAce: %E");
|
||||
else if (FindFirstFreeAce (pAcl, (LPVOID *) &pAce), !(pAce))
|
||||
debug_printf ("FindFirstFreeAce %E");
|
||||
else
|
||||
{
|
||||
pAcl->AclSize = (char *) pAce - (char *) pAcl;
|
||||
if (!SetTokenInformation (ptok, TokenDefaultDacl, pdacl, sizeof (* pdacl)))
|
||||
system_printf ("SetTokenInformation (TokenDefaultDacl): %E");
|
||||
}
|
||||
}
|
||||
out:
|
||||
CloseHandle (ptok);
|
||||
}
|
||||
|
||||
void
|
||||
@ -73,8 +107,6 @@ internal_getlogin (cygheap_user &user)
|
||||
{
|
||||
struct passwd *pw = NULL;
|
||||
|
||||
myself->gid = UNKNOWN_GID;
|
||||
|
||||
if (wincap.has_security ())
|
||||
{
|
||||
cygpsid psid = user.sid ();
|
||||
@ -96,8 +128,7 @@ internal_getlogin (cygheap_user &user)
|
||||
{
|
||||
HANDLE ptok;
|
||||
if (gsid != user.groups.pgsid
|
||||
&& OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT | TOKEN_QUERY,
|
||||
&ptok))
|
||||
&& OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT, &ptok))
|
||||
{
|
||||
/* Set primary group to the group in /etc/passwd. */
|
||||
if (!SetTokenInformation (ptok, TokenPrimaryGroup,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user