2003-10-16 Pierre Humblet <pierre.humblet@ieee.org>

* syscalls.cc (seteuid32): Always construct a default DACL including
	the new sid, Admins and SYSTEM and copy it to the new thread token.
	* security.cc (create_token): Use a NULL default DACL in NtCreateToken.

winsup/cygwin/security.cc

@@ -815,8 +815,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
   PTOKEN_PRIVILEGES privs = NULL;
   TOKEN_OWNER owner;
   TOKEN_PRIMARY_GROUP pgrp;
-  char acl_buf[MAX_DACL_LEN (5)];
+  TOKEN_DEFAULT_DACL dacl = {};
-  TOKEN_DEFAULT_DACL dacl;
   TOKEN_SOURCE source;
   TOKEN_STATISTICS stats;
   memcpy (source.SourceName, "Cygwin.1", 8);
@@ -905,13 +904,6 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
   if (!(privs = get_priv_list (lsa, usersid, tmp_gsids)))
     goto out;
 
-  /* Create default dacl. */
-  if (!sec_acl ((PACL) acl_buf, false, false,
-		tmp_gsids.contains (well_known_admins_sid) ?
-		well_known_admins_sid : usersid))
-    goto out;
-  dacl.DefaultDacl = (PACL) acl_buf;
-
   /* Let's be heroic... */
   ret = NtCreateToken (&token, TOKEN_ALL_ACCESS, &oa, TokenImpersonation,
 		       &auth_luid, &exp, &user, new_tok_gsids, privs, &owner,

winsup/cygwin/syscalls.cc

@@ -2121,6 +2121,8 @@ seteuid32 (__uid32_t uid)
   HANDLE ptok, new_token = INVALID_HANDLE_VALUE;
   struct passwd * pw_new;
   BOOL token_is_internal, issamesid;
+  char dacl_buf[MAX_DACL_LEN (5)];
+  TOKEN_DEFAULT_DACL tdacl = {};
   
   pw_new = internal_getpwuid (uid);
   if (!wincap.has_security () && pw_new)
@@ -2161,19 +2163,14 @@ seteuid32 (__uid32_t uid)
   debug_printf ("Found token %d", new_token);
 
   /* Set process def dacl to allow access to impersonated token */
-  if (cygheap->user.current_token != new_token)
+  if (sec_acl ((PACL) dacl_buf, true, true, usersid))
     {
-      char dacl_buf[MAX_DACL_LEN (5)];
-      if (sec_acl ((PACL) dacl_buf, true, false, usersid))
-	{
-	  TOKEN_DEFAULT_DACL tdacl;
       tdacl.DefaultDacl = (PACL) dacl_buf;
       if (!SetTokenInformation (ptok, TokenDefaultDacl,
 				&tdacl, sizeof dacl_buf))
 	debug_printf ("SetTokenInformation"
 		      "(TokenDefaultDacl): %E");
     }
-    }
 
   /* If no impersonation token is available, try to
      authenticate using NtCreateToken () or subauthentication. */
@@ -2193,7 +2190,7 @@ seteuid32 (__uid32_t uid)
 	CloseHandle (cygheap->user.internal_token);
       cygheap->user.internal_token = new_token;
     }
-  else if (new_token != ptok)
+  if (new_token != ptok)
     {
       /* Avoid having HKCU use default user */
       load_registry_hive (usersid);
@@ -2204,11 +2201,15 @@ seteuid32 (__uid32_t uid)
 	debug_printf ("SetTokenInformation(user.token, "
 		      "TokenOwner): %E");
       /* Try setting primary group in token to current group */
-      if (!SetTokenInformation (new_token,
+      if (!SetTokenInformation (new_token, TokenPrimaryGroup,
-				TokenPrimaryGroup,
 				&groups.pgsid, sizeof (cygsid)))
 	debug_printf ("SetTokenInformation(user.token, "
 		      "TokenPrimaryGroup): %E");
+      /* Try setting default DACL */
+      if (tdacl.DefaultDacl
+	  && !SetTokenInformation (new_token, TokenDefaultDacl,
+				   &tdacl, sizeof (tdacl)))
+	debug_printf ("SetTokenInformation (TokenDefaultDacl): %E");
     }
 
   CloseHandle (ptok);