* cygheap.h (enum impersonation): New enum.

(cygheap_user::token): Delete. (cygheap_user::impersonated): Delete. (cygheap_user::external_token): New member. (cygheap_user::internal_token): New member. (cygheap_user::impersonation_state): New member. (cygheap_user::issetuid): Modify. (cygheap_user::token): New method. (cygheap_user::deimpersonate): New method. (cygheap_user::reimpersonate): New method. (cygheap_user::has_impersonation_tokens): New method. (cygheap_user::close_impersonation_tokens): New method. * dtable.cc (dtable::vfork_child_dup): Use new cygheap_user methods. * fhandler_socket.cc (fhandler_socket::dup): Ditto. * fork.cc (fork_child): Ditto. (fork_parent): Ditto. * grp.cc (internal_getgroups): Ditto. * security.cc (verify_token): Ditto. (check_file_access): Ditto. (cygwin_set_impersonation_token): Detect conflicts. Set user.external_token. * spawn.cc (spawn_guts): Use new cygheap_user methods. * syscalls.cc (seteuid32): Rearrange to use the two tokens in cygheap_user. (setegid32): Use new cygheap_user methods. * uinfo.cc: (internal_getlogin): Ditto.
2003-06-30 13:07:36 +00:00
parent 3fbdb70ec6
commit 70249d5687
10 changed files with 160 additions and 115 deletions
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -70,10 +70,16 @@ extern "C" void
 cygwin_set_impersonation_token (const HANDLE hToken)
 {
  debug_printf ("set_impersonation_token (%d)", hToken);
-  if (cygheap->user.token != hToken)
+  if (cygheap->user.impersonation_state == IMP_EXTERNAL
+      && cygheap->user.external_token != hToken)
    {
-      cygheap->user.token = hToken;
-      cygheap->user.impersonated = FALSE;
+      set_errno (EPERM);
+      return;
+    }
+  else
+    {
+      cygheap->user.external_token = hToken;
+      return;
    }
 }

@@ -717,7 +723,7 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, BOOL *pintern)
  if (pintern)
    {
      TOKEN_SOURCE ts;
-      if (!GetTokenInformation (cygheap->user.token, TokenSource,
+      if (!GetTokenInformation (token, TokenSource,
 				&ts, sizeof ts, &size))
 	debug_printf ("GetTokenInformation(): %E");
      else
@@ -1906,7 +1912,7 @@ check_file_access (const char *fn, int flags)
    goto done;

  if (cygheap->user.issetuid ())
-    hToken = cygheap->user.token;
+    hToken = cygheap->user.token ();
  else if (!OpenProcessToken (hMainProc, TOKEN_DUPLICATE, &hToken))
    {
      __seterrno ();
@@ -1914,7 +1920,7 @@ check_file_access (const char *fn, int flags)
    }
  if (!(status = DuplicateToken (hToken, SecurityIdentification, &hIToken)))
    __seterrno ();
-  if (hToken != cygheap->user.token)
+  if (!cygheap->user.issetuid ())
    CloseHandle (hToken);
  if (!status)
    goto done;