2003-09-26 Pierre Humblet <pierre.humblet@ieee.org>

* uinfo.cc (cygheap_user::init): Make sure the current user appears in the default DACL. Rearrange to decrease the indentation levels. Initialize the effec_cygsid directly. (internal_getlogin): Do not reinitialize myself->gid. Open the process token with the required access. * cygheap.h (class cygheap_user): Delete members pid and saved_psid. Create members effec_cygsid and saved_cygsid. (cygheap_user::set_sid): Define inline. (cygheap_user::set_saved_sid): Ditto. (cygheap_user::sid): Modify. (cygheap_user::saved_sid): Modify. * cygheap.cc (cygheap_user::set_sid): Delete. (cygheap_user::set_saved_sid): Ditto. * sec_helper.cc (sec_acl): Set the correct acl size. * autoload.cc (FindFirstFreeAce): Add. * security.h: Define ACL_DEFAULT_SIZE.
2003-09-27 01:56:36 +00:00 · 2003-09-27 01:56:36 +00:00 · 6806a8b51f
commit 6806a8b51f
parent 349a6402fe
7 changed files with 92 additions and 59 deletions
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@ -1,3 +1,22 @@
 2003-09-26  Pierre Humblet <pierre.humblet@ieee.org>
 	* uinfo.cc (cygheap_user::init): Make sure the current user appears
 	in the default DACL. Rearrange to decrease the indentation levels. 
 	Initialize the effec_cygsid directly.
 	(internal_getlogin): Do not reinitialize myself->gid. Open the process
 	token with the required access.
 	* cygheap.h (class cygheap_user): Delete members pid and saved_psid.
 	Create members effec_cygsid and saved_cygsid.
 	(cygheap_user::set_sid): Define inline.
 	(cygheap_user::set_saved_sid): Ditto.
 	(cygheap_user::sid): Modify.
 	(cygheap_user::saved_sid): Modify.
 	* cygheap.cc (cygheap_user::set_sid): Delete.
 	(cygheap_user::set_saved_sid): Ditto.
 	* sec_helper.cc (sec_acl): Set the correct acl size.
 	* autoload.cc (FindFirstFreeAce): Add.
 	* security.h: Define ACL_DEFAULT_SIZE.
 2003-09-26  Corinna Vinschen  <corinna@vinschen.de>
 	* mmap.cc (munmap): Use correct address and length parameters when
--- a/winsup/cygwin/autoload.cc
+++ b/winsup/cygwin/autoload.cc
@ -320,6 +320,7 @@ LoadDLLfunc (DeregisterEventSource, 4, advapi32)
 LoadDLLfunc (DuplicateToken, 12, advapi32)
 LoadDLLfuncEx (DuplicateTokenEx, 24, advapi32, 1)
 LoadDLLfunc (EqualSid, 8, advapi32)
 LoadDLLfunc (FindFirstFreeAce, 8, advapi32)
 LoadDLLfunc (GetAce, 12, advapi32)
 LoadDLLfunc (GetFileSecurityA, 20, advapi32)
 LoadDLLfunc (GetKernelObjectSecurity, 20, advapi32)
--- a/winsup/cygwin/cygheap.cc
+++ b/winsup/cygwin/cygheap.cc
@ -444,28 +444,3 @@ cygheap_user::set_name (const char *new_name)
  cfree_and_set (pwinname);
 }
 BOOL
 cygheap_user::set_sid (PSID new_sid)
 {
  if (new_sid)
    {
      if (!psid)
 	psid = cmalloc (HEAP_STR, MAX_SID_LEN);
      if (psid)
 	return CopySid (MAX_SID_LEN, psid, new_sid);
    }
  return FALSE;
 }
 BOOL
 cygheap_user::set_saved_sid ()
 {
  if (psid)
    {
      if (!saved_psid)
        saved_psid = cmalloc (HEAP_STR, MAX_SID_LEN);
      if (saved_psid)
 	return CopySid (MAX_SID_LEN, saved_psid, psid);
    }
  return FALSE;
 }
--- a/winsup/cygwin/cygheap.h
+++ b/winsup/cygwin/cygheap.h
@ -106,8 +106,8 @@ class cygheap_user
  char  *homepath;	/* User's home path */
  char  *pwinname;	/* User's name as far as Windows knows it */
  char  *puserprof;	/* User profile */
-  PSID   psid;          /* buffer for user's SID */
+  cygsid effec_cygsid;  /* buffer for user's SID */
-  PSID   saved_psid;    /* Remains intact even after impersonation */
+  cygsid saved_cygsid;  /* Remains intact even after impersonation */
 public:
  __uid32_t saved_uid;     /* Remains intact even after impersonation */
  __gid32_t saved_gid;     /* Ditto */
@ -160,10 +160,10 @@ public:
    const char *p = env_domain ("USERDOMAIN=", sizeof ("USERDOMAIN=") - 1);
    return (p == almost_null) ? NULL : p;
  }
-  BOOL set_sid (PSID new_sid);
+  BOOL set_sid (PSID new_sid) {return (BOOL) (effec_cygsid = new_sid);}
-  BOOL set_saved_sid ();
+  BOOL set_saved_sid () { return (BOOL) (saved_cygsid = effec_cygsid); }
-  PSID sid () const { return psid; }
+  PSID sid () { return effec_cygsid; }
-  PSID saved_sid () const { return saved_psid; }
+  PSID saved_sid () { return saved_cygsid; }
  const char *ontherange (homebodies what, struct passwd * = NULL);
  bool issetuid () const { return current_token != INVALID_HANDLE_VALUE; }
  HANDLE token () { return current_token; }
--- a/winsup/cygwin/sec_helper.cc
+++ b/winsup/cygwin/sec_helper.cc
@ -375,6 +375,7 @@ BOOL
 sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD access2)
 {
  size_t acl_len = MAX_DACL_LEN(5);
  LPVOID pAce;
  cygpsid psid;
  if (!InitializeAcl (acl, acl_len, ACL_REVISION))
@ -402,6 +403,12 @@ sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD acces
  if (!AddAccessAllowedAce (acl, ACL_REVISION,
 			    GENERIC_ALL, well_known_system_sid))
    debug_printf ("AddAccessAllowedAce(system) %E");
  FindFirstFreeAce (acl, &pAce);
  if (pAce)
    acl->AclSize = (char *) pAce - (char *) acl;
  else
    debug_printf ("FindFirstFreeAce %E");
  return TRUE;
 }
--- a/winsup/cygwin/security.h
+++ b/winsup/cygwin/security.h
@ -20,7 +20,7 @@ details. */
 #define MAX_SID_LEN 40
 #define MAX_DACL_LEN(n) (sizeof (ACL) \
 		   + (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
-
+#define ACL_DEFAULT_SIZE 3072
 #define NO_SID ((PSID)NULL)
 class cygpsid {
--- a/winsup/cygwin/uinfo.cc
+++ b/winsup/cygwin/uinfo.cc
@ -41,31 +41,65 @@ cygheap_user::init()
  set_name (GetUserName (user_name, &user_name_len) ? user_name : "unknown");
-  if (wincap.has_security ())
+  if (!wincap.has_security ())
-    {
+    return;
      HANDLE ptok = NULL;
      DWORD siz, ret;
      cygsid tu;
-      /* Get the SID from current process and store it in user.psid */
+  HANDLE ptok;
-      if (!OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT | TOKEN_QUERY,
+  DWORD siz;
-			     &ptok))
+  char pdacl_buf [sizeof (PTOKEN_DEFAULT_DACL) + ACL_DEFAULT_SIZE];
-	system_printf ("OpenProcessToken(): %E");
+  PTOKEN_DEFAULT_DACL pdacl = (PTOKEN_DEFAULT_DACL) pdacl_buf;
-      else
+
-	{
+  if (!OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT | TOKEN_QUERY,
-	  if (!GetTokenInformation (ptok, TokenUser, &tu, sizeof tu, &siz))
+			 &ptok))
-	    system_printf ("GetTokenInformation (TokenUser): %E");
+    {
-	  else if (!(ret = set_sid (tu)))
+      system_printf ("OpenProcessToken(): %E");
-	    system_printf ("Couldn't retrieve SID from access token!");
+      return;
 	  /* Set token owner to the same value as token user */
 	  else if (!SetTokenInformation (ptok, TokenOwner, &tu, sizeof tu))
 	    debug_printf ("SetTokenInformation(TokenOwner): %E");
 	  if (!GetTokenInformation (ptok, TokenPrimaryGroup,
 				    &groups.pgsid, sizeof tu, &siz))
 	    system_printf ("GetTokenInformation (TokenPrimaryGroup): %E");
 	  CloseHandle (ptok);
 	}
    }
  if (!GetTokenInformation (ptok, TokenPrimaryGroup,
 			    &groups.pgsid, sizeof (cygsid), &siz))
    system_printf ("GetTokenInformation (TokenPrimaryGroup): %E");
  /* Get the SID from current process and store it in effec_cygsid */
  if (!GetTokenInformation (ptok, TokenUser, &effec_cygsid, sizeof (cygsid), &siz))
    {
      system_printf ("GetTokenInformation (TokenUser): %E");
      goto out;
    }
  /* Set token owner to the same value as token user */
  if (!SetTokenInformation (ptok, TokenOwner, &effec_cygsid, sizeof (cygsid)))
    debug_printf ("SetTokenInformation(TokenOwner): %E");
  /* Add the user in the default DACL if needed */ 
  if (!GetTokenInformation (ptok, TokenDefaultDacl, pdacl, sizeof (pdacl_buf), &siz))
    system_printf ("GetTokenInformation (TokenDefaultDacl): %E");
  else if (pdacl->DefaultDacl) /* Running with security */
    {
      PACL pAcl = pdacl->DefaultDacl;
      PACCESS_ALLOWED_ACE pAce;
      for (int i = 0; i < pAcl->AceCount; i++)
        {
 	  if (!GetAce(pAcl, i, (LPVOID *) &pAce))
 	    system_printf ("GetAce: %E");
 	  else if (pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE
 		   && effec_cygsid == &pAce->SidStart)
 	    goto out;
 	}
      pAcl->AclSize = &pdacl_buf[sizeof (pdacl_buf)] - (char *) pAcl;
      if (!AddAccessAllowedAce (pAcl, ACL_REVISION, GENERIC_ALL, effec_cygsid)) 
 	system_printf ("AddAccessAllowedAce: %E");
      else if (FindFirstFreeAce (pAcl, (LPVOID *) &pAce), !(pAce))
 	debug_printf ("FindFirstFreeAce %E");
      else
        {
          pAcl->AclSize = (char *) pAce - (char *) pAcl;
 	  if (!SetTokenInformation (ptok, TokenDefaultDacl, pdacl, sizeof (* pdacl)))
 	    system_printf ("SetTokenInformation (TokenDefaultDacl): %E");
        }
    }
 out:	  
  CloseHandle (ptok);
 }
 void
@ -73,8 +107,6 @@ internal_getlogin (cygheap_user &user)
 {
  struct passwd *pw = NULL;
  myself->gid = UNKNOWN_GID;
  if (wincap.has_security ())
    {
      cygpsid psid = user.sid ();
@ -96,8 +128,7 @@ internal_getlogin (cygheap_user &user)
 	    {
 	      HANDLE ptok;
 	      if (gsid != user.groups.pgsid
-		  && OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT | TOKEN_QUERY,
+		  && OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT, &ptok))
 				     &ptok))
 	        {
 		  /* Set primary group to the group in /etc/passwd. */
 		  if (!SetTokenInformation (ptok, TokenPrimaryGroup,