* cyglsa.h: New header file.
* environ.cc: Disable subauth settings. * grp.cc: Accomodate cygsidlist's count now being a method. * sec_helper.cc (SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Remove. (mandatory_medium_integrity_sid): Remove. (mandatory_high_integrity_sid): Remove. (mandatory_system_integrity_sid): Remove. (fake_logon_sid): Add. (cygsid::get_sid): Add well_known parameter. Set well_known_sid accordingly. (cygsid::getfromstr): Ditto. (cygsidlist::alloc_sids): Move here from security.cc. (cygsidlist::free_sids): Ditto. (cygsidlist::add): Move here from security.h. Add well_known parameter. Set well_known_sid accordingly. Don't allow duplicate SIDs. * security.cc: Include cyglsa.h and cygwin/version.h. Throughout accomodate cygsidlist's count now being a method. Throughout drop redundant "contains" tests. (get_user_local_groups): Add local groups as well known SIDs. (get_token_group_sidlist): Add well known groups as well known SIDs. (get_server_groups): Ditto. Only call get_unix_group_sidlist after get_user_local_groups to maintain "well_known_sid" attribute. (get_initgroups_sidlist): Add well known groups as well known SIDs. (get_setgroups_sidlist): Add usersid and struct passwd parameter to allow calling get_server_groups from here. (get_system_priv_list): Make static. Return size of TOKEN_PRIVILEGES structure. (get_priv_list): Ditto. (create_token): Accomodate above changes. Drop misguided attempt to add MIC SIDs to created user token. Print returned token as hex value. (subauth): Disable. (lsaauth): New function implementing client side of LSA authentication. * security.h (class cygsid): Add well_known_sid attribute. Accomodate throughout. Add *= operator to create a well known SID. (class cygsidlist): Rename count to cnt. Make count a method. (cygsidlist::add): Move to sec_helper.cc. (cygsidlist::operator *=): New method to add well known SID. (cygsidlist::non_well_known_count): New method returning number of non well known SIDs in list. (cygsidlist::next_non_well_known_sid): New method returning next non well known SID by index. (mandatory_medium_integrity_sid): Drop declaration. (mandatory_high_integrity_sid): Drop declaration. (mandatory_system_integrity_sid): Drop declaration. (fake_logon_sid): Add declaration. (subauth): Disable declaration. (lsaauth): Add declaration. * syscalls.cc (seteuid32): Disable subauthentication. Add LSA authentication. * wincap.h: Define needs_logon_sid_in_sid_list throughout. * wincap.cc: Ditto.
This commit is contained in:
@@ -2111,30 +2111,46 @@ seteuid32 (__uid32_t uid)
|
||||
debug_printf ("Found token %d", new_token);
|
||||
|
||||
/* If no impersonation token is available, try to
|
||||
authenticate using NtCreateToken () or subauthentication. */
|
||||
authenticate using NtCreateToken () or LSA authentication. */
|
||||
if (new_token == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
new_token = subauth (pw_new);
|
||||
debug_printf ("subauth %s, try create_token.",
|
||||
new_token == INVALID_HANDLE_VALUE ? "failed" : "succeeded");
|
||||
HANDLE new_token2 = create_token (usersid, groups, pw_new, new_token);
|
||||
if (new_token2 == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
if (!(new_token = lsaauth (usersid, groups, pw_new)))
|
||||
{
|
||||
#if 0
|
||||
new_token = subauth (pw_new);
|
||||
debug_printf ("subauth %s, try create_token.",
|
||||
new_token == INVALID_HANDLE_VALUE ? "failed" : "succeeded");
|
||||
HANDLE new_token2 = create_token (usersid, groups, pw_new, new_token);
|
||||
if (new_token2 == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
if (new_token == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
debug_printf ("create_token failed, bail out of here");
|
||||
cygheap->user.reimpersonate ();
|
||||
return -1;
|
||||
}
|
||||
debug_printf ("create_token failed, use original subauth token");
|
||||
}
|
||||
else
|
||||
{
|
||||
debug_printf ("create_token succeeded");
|
||||
if (new_token != INVALID_HANDLE_VALUE)
|
||||
CloseHandle (new_token);
|
||||
new_token = new_token2;
|
||||
}
|
||||
#else
|
||||
debug_printf ("lsaauth failed, try create_token.");
|
||||
new_token = create_token (usersid, groups, pw_new,
|
||||
INVALID_HANDLE_VALUE);
|
||||
if (new_token == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
debug_printf ("create_token failed, bail out of here");
|
||||
cygheap->user.reimpersonate ();
|
||||
return -1;
|
||||
}
|
||||
debug_printf ("create_token failed, use original subauth token");
|
||||
}
|
||||
else
|
||||
{
|
||||
debug_printf ("create_token succeeded");
|
||||
if (new_token != INVALID_HANDLE_VALUE)
|
||||
CloseHandle (new_token);
|
||||
new_token = new_token2;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Keep at most one internal token */
|
||||
if (cygheap->user.internal_token != NO_IMPERSONATION)
|
||||
CloseHandle (cygheap->user.internal_token);
|
||||
|
Reference in New Issue
Block a user