* sec_auth.cc (get_token_group_sidlist): Add CONSOLE LOGON SID on

systems supporting it.  Never add SERVICE SID but keep code in for
	future reference.  Explain why.
	(get_priv_list): Add cygpsid pointer parameter.  Point it to the
	mandatory integrity SID which matches account and privileges.
	(create_token): Fetch mandatory integrity SID from call to
	get_priv_list.
	(lsaauth): Call get_priv_list with additional NULL pointer.  Change
	comment accordingly.
	* sec_helper.cc (well_known_console_logon_sid): New static SID.
	(cygpriv): Change to structure containing extra flag to store info
	about required integrity level.
	(privilege_luid): Accommodate changes to cygpriv.  Return integrity
	level in new high_integrity parameter.
	(privilege_name): Accommodate changes to cygpriv.
	(set_privilege): Drop trailing \n from debug output.
	(set_cygwin_privileges): Don't set SE_CREATE_GLOBAL_PRIVILEGE anymore
	since it's just not needed, but keep code in for future reference.
	Change comment accordingly.
	* security.h (well_known_console_logon_sid): Declare.
	(privilege_luid): Align declaration to above change.
	* wincap.h (wincaps::has_console_logon_sid): New element.
	* wincap.cc: Implement above element throughout.
This commit is contained in:
Corinna Vinschen
2011-10-15 16:31:57 +00:00
parent 551a3d64c9
commit c52fd6cd47
6 changed files with 130 additions and 67 deletions

View File

@ -37,6 +37,8 @@ MKSID (well_known_world_sid, "S-1-1-0",
SECURITY_WORLD_SID_AUTHORITY, 1, SECURITY_WORLD_RID);
MKSID (well_known_local_sid, "S-1-2-0",
SECURITY_LOCAL_SID_AUTHORITY, 1, SECURITY_LOCAL_RID);
MKSID (well_known_console_logon_sid, "S-1-2-1",
SECURITY_LOCAL_SID_AUTHORITY, 1, 1);
MKSID (well_known_creator_owner_sid, "S-1-3-0",
SECURITY_CREATOR_SID_AUTHORITY, 1, SECURITY_CREATOR_OWNER_RID);
MKSID (well_known_creator_group_sid, "S-1-3-1",
@ -331,58 +333,64 @@ security_descriptor::free ()
#undef TEXT
#define TEXT(q) L##q
/* Index must match the correspoding foo_PRIVILEGE value, see security.h. */
static const wchar_t *cygpriv[] =
/* Index must match the corresponding foo_PRIVILEGE value, see security.h. */
static const struct {
const wchar_t *name;
bool high_integrity; /* UAC: High Mandatory Label required to
be allowed to enable this privilege in
the user token. */
} cygpriv[] =
{
L"",
L"",
SE_CREATE_TOKEN_NAME,
SE_ASSIGNPRIMARYTOKEN_NAME,
SE_LOCK_MEMORY_NAME,
SE_INCREASE_QUOTA_NAME,
SE_MACHINE_ACCOUNT_NAME,
SE_TCB_NAME,
SE_SECURITY_NAME,
SE_TAKE_OWNERSHIP_NAME,
SE_LOAD_DRIVER_NAME,
SE_SYSTEM_PROFILE_NAME,
SE_SYSTEMTIME_NAME,
SE_PROF_SINGLE_PROCESS_NAME,
SE_INC_BASE_PRIORITY_NAME,
SE_CREATE_PAGEFILE_NAME,
SE_CREATE_PERMANENT_NAME,
SE_BACKUP_NAME,
SE_RESTORE_NAME,
SE_SHUTDOWN_NAME,
SE_DEBUG_NAME,
SE_AUDIT_NAME,
SE_SYSTEM_ENVIRONMENT_NAME,
SE_CHANGE_NOTIFY_NAME,
SE_REMOTE_SHUTDOWN_NAME,
SE_UNDOCK_NAME,
SE_SYNC_AGENT_NAME,
SE_ENABLE_DELEGATION_NAME,
SE_MANAGE_VOLUME_NAME,
SE_IMPERSONATE_NAME,
SE_CREATE_GLOBAL_NAME,
SE_TRUSTED_CREDMAN_ACCESS_NAME,
SE_RELABEL_NAME,
SE_INCREASE_WORKING_SET_NAME,
SE_TIME_ZONE_NAME,
SE_CREATE_SYMBOLIC_LINK_NAME
{ L"", false },
{ L"", false },
{ SE_CREATE_TOKEN_NAME, true },
{ SE_ASSIGNPRIMARYTOKEN_NAME, true },
{ SE_LOCK_MEMORY_NAME, false },
{ SE_INCREASE_QUOTA_NAME, true },
{ SE_MACHINE_ACCOUNT_NAME, false },
{ SE_TCB_NAME, true },
{ SE_SECURITY_NAME, true },
{ SE_TAKE_OWNERSHIP_NAME, true },
{ SE_LOAD_DRIVER_NAME, true },
{ SE_SYSTEM_PROFILE_NAME, true },
{ SE_SYSTEMTIME_NAME, true },
{ SE_PROF_SINGLE_PROCESS_NAME, true },
{ SE_INC_BASE_PRIORITY_NAME, true },
{ SE_CREATE_PAGEFILE_NAME, true },
{ SE_CREATE_PERMANENT_NAME, false },
{ SE_BACKUP_NAME, true },
{ SE_RESTORE_NAME, true },
{ SE_SHUTDOWN_NAME, false },
{ SE_DEBUG_NAME, true },
{ SE_AUDIT_NAME, false },
{ SE_SYSTEM_ENVIRONMENT_NAME, true },
{ SE_CHANGE_NOTIFY_NAME, false },
{ SE_REMOTE_SHUTDOWN_NAME, true },
{ SE_UNDOCK_NAME, false },
{ SE_SYNC_AGENT_NAME, false },
{ SE_ENABLE_DELEGATION_NAME, false },
{ SE_MANAGE_VOLUME_NAME, true },
{ SE_IMPERSONATE_NAME, true },
{ SE_CREATE_GLOBAL_NAME, false },
{ SE_TRUSTED_CREDMAN_ACCESS_NAME, false },
{ SE_RELABEL_NAME, true },
{ SE_INCREASE_WORKING_SET_NAME, false },
{ SE_TIME_ZONE_NAME, true },
{ SE_CREATE_SYMBOLIC_LINK_NAME, true }
};
bool
privilege_luid (const PWCHAR pname, LUID *luid)
privilege_luid (const PWCHAR pname, LUID &luid, bool &high_integrity)
{
ULONG idx;
for (idx = SE_CREATE_TOKEN_PRIVILEGE;
idx <= SE_MAX_WELL_KNOWN_PRIVILEGE;
++idx)
if (!wcscmp (cygpriv[idx], pname))
if (!wcscmp (cygpriv[idx].name, pname))
{
luid->HighPart = 0;
luid->LowPart = idx;
luid.HighPart = 0;
luid.LowPart = idx;
high_integrity = cygpriv[idx].high_integrity;
return true;
}
return false;
@ -394,7 +402,7 @@ privilege_name (const LUID &priv_luid)
if (priv_luid.HighPart || priv_luid.LowPart < SE_CREATE_TOKEN_PRIVILEGE
|| priv_luid.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE)
return L"<unknown privilege>";
return cygpriv[priv_luid.LowPart];
return cygpriv[priv_luid.LowPart].name;
}
int
@ -426,7 +434,7 @@ set_privilege (HANDLE token, DWORD privilege, bool enable)
out:
if (ret < 0)
debug_printf ("%d = set_privilege ((token %x) %W, %d)\n", ret, token,
debug_printf ("%d = set_privilege ((token %x) %W, %d)", ret, token,
privilege_name (new_priv.Privileges[0].Luid), enable);
return ret;
}
@ -444,12 +452,13 @@ set_cygwin_privileges (HANDLE token)
set_privilege (token, SE_BACKUP_PRIVILEGE, true);
/* Allow full access to other user's processes. */
set_privilege (token, SE_DEBUG_PRIVILEGE, true);
/* Allow to create global shared memory. This shouldn't be required since
#if 0
/* Allow to create global shared memory. This isn't required anymore since
Cygwin 1.7. It uses its own subdirectories in the global NT namespace
which isn't affected by the SE_CREATE_GLOBAL_PRIVILEGE restriction.
Anyway, better safe than sorry. */
which isn't affected by the SE_CREATE_GLOBAL_PRIVILEGE restriction. */
if (wincap.has_create_global_privilege ())
set_privilege (token, SE_CREATE_GLOBAL_PRIVILEGE, true);
#endif
}
/* Function to return a common SECURITY_DESCRIPTOR that