2003-09-15 Pierre Humblet <pierre.humblet@ieee.org>
* security.h (__sec_user): Add "access2" argument. (sec_acl): Add "original" and "access2" arguments. (sec_user): Add "sid2" and "access2" argument. Remove dependence on allow_ntsec. (sec_user_nih): Ditto. * sec_helper.cc (__sec_user): Add "has_security" test. Call sec_acl with new arguments, letting it handle original_sid. (sec_acl): Add "original" and "access2" arguments. Handle original_sid depending on flag but avoiding duplicates. Use "access2" for sid2. * pinfo.cc (pinfo::init): Use security attributes created by sec_user when creating the mapping. * security.cc (create_token): Adjust arguments in call to sec_acl. Call sec_user instead of __sec_user. * syscall.cc (seteuid32): Adjust arguments in call to sec_acl. Remove now unnecessary test. Remove useless conversions to psid. * dcrt0.cc (dll_crt0_1): Call cygsid::init before pinfo_init.
This commit is contained in:
parent
a9993197f2
commit
c61ada9bd3
@ -1,3 +1,22 @@
|
||||
2003-09-15 Pierre Humblet <pierre.humblet@ieee.org>
|
||||
|
||||
* security.h (__sec_user): Add "access2" argument.
|
||||
(sec_acl): Add "original" and "access2" arguments.
|
||||
(sec_user): Add "sid2" and "access2" argument. Remove dependence on
|
||||
allow_ntsec.
|
||||
(sec_user_nih): Ditto.
|
||||
* sec_helper.cc (__sec_user): Add "has_security" test.
|
||||
Call sec_acl with new arguments, letting it handle original_sid.
|
||||
(sec_acl): Add "original" and "access2" arguments. Handle original_sid
|
||||
depending on flag but avoiding duplicates. Use "access2" for sid2.
|
||||
* pinfo.cc (pinfo::init): Use security attributes created by sec_user
|
||||
when creating the mapping.
|
||||
* security.cc (create_token): Adjust arguments in call to sec_acl.
|
||||
Call sec_user instead of __sec_user.
|
||||
* syscall.cc (seteuid32): Adjust arguments in call to sec_acl. Remove
|
||||
now unnecessary test. Remove useless conversions to psid.
|
||||
* dcrt0.cc (dll_crt0_1): Call cygsid::init before pinfo_init.
|
||||
|
||||
2003-09-13 Christopher Faylor <cgf@redhat.com>
|
||||
|
||||
* Makefile.in: Make malloc_wrapper -fomit-frame-pointer.
|
||||
|
@ -678,6 +678,9 @@ dll_crt0_1 ()
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Init global well known SID objects */
|
||||
cygsid::init ();
|
||||
|
||||
/* Initialize our process table entry. */
|
||||
pinfo_init (envp, envc);
|
||||
|
||||
@ -687,9 +690,6 @@ dll_crt0_1 ()
|
||||
/* Allocate cygheap->fdtab */
|
||||
dtable_init ();
|
||||
|
||||
/* Init global well known SID objects */
|
||||
cygsid::init ();
|
||||
|
||||
/* Initialize user info. */
|
||||
uinfo_init ();
|
||||
|
||||
|
@ -164,7 +164,11 @@ pinfo::init (pid_t n, DWORD flag, HANDLE in_h)
|
||||
}
|
||||
else
|
||||
{
|
||||
h = CreateFileMapping (INVALID_HANDLE_VALUE, &sec_all_nih,
|
||||
char sa_buf[1024];
|
||||
PSECURITY_ATTRIBUTES sec_attribs =
|
||||
sec_user_nih (sa_buf, cygheap->user.sid(), well_known_world_sid,
|
||||
FILE_MAP_READ | FILE_MAP_WRITE); /* FIXME */
|
||||
h = CreateFileMapping (INVALID_HANDLE_VALUE, sec_attribs,
|
||||
PAGE_READWRITE, 0, mapsize, mapname);
|
||||
created = h && GetLastError () != ERROR_ALREADY_EXISTS;
|
||||
}
|
||||
|
@ -372,23 +372,29 @@ get_null_sd ()
|
||||
}
|
||||
|
||||
BOOL
|
||||
sec_acl (PACL acl, BOOL admins, PSID sid1, PSID sid2)
|
||||
sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD access2)
|
||||
{
|
||||
size_t acl_len = MAX_DACL_LEN(5);
|
||||
cygpsid psid;
|
||||
|
||||
if (!InitializeAcl (acl, acl_len, ACL_REVISION))
|
||||
{
|
||||
debug_printf ("InitializeAcl %E");
|
||||
return FALSE;
|
||||
}
|
||||
if (sid2)
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, sid2))
|
||||
debug_printf ("AddAccessAllowedAce(sid2) %E");
|
||||
if (sid1)
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, sid1))
|
||||
debug_printf ("AddAccessAllowedAce(sid1) %E");
|
||||
if (original && (psid = cygheap->user.orig_sid ())
|
||||
&& psid != sid1 && psid != well_known_system_sid)
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, psid))
|
||||
debug_printf ("AddAccessAllowedAce(original) %E");
|
||||
if (sid2)
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
access2, sid2))
|
||||
debug_printf ("AddAccessAllowedAce(sid2) %E");
|
||||
if (admins)
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, well_known_admins_sid))
|
||||
@ -396,26 +402,18 @@ sec_acl (PACL acl, BOOL admins, PSID sid1, PSID sid2)
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, well_known_system_sid))
|
||||
debug_printf ("AddAccessAllowedAce(system) %E");
|
||||
#if 0 /* Does not seem to help */
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, well_known_creator_owner_sid))
|
||||
debug_printf ("AddAccessAllowedAce(creator_owner) %E");
|
||||
#endif
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
PSECURITY_ATTRIBUTES __stdcall
|
||||
__sec_user (PVOID sa_buf, PSID sid2, BOOL inherit)
|
||||
__sec_user (PVOID sa_buf, PSID sid1, PSID sid2, DWORD access2, BOOL inherit)
|
||||
{
|
||||
PSECURITY_ATTRIBUTES psa = (PSECURITY_ATTRIBUTES) sa_buf;
|
||||
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR)
|
||||
((char *) sa_buf + sizeof (*psa));
|
||||
PACL acl = (PACL) ((char *) sa_buf + sizeof (*psa) + sizeof (*psd));
|
||||
|
||||
cygsid sid;
|
||||
|
||||
if (!(sid = cygheap->user.orig_sid ()) ||
|
||||
(!sec_acl (acl, TRUE, sid, sid2)))
|
||||
if (!wincap.has_security () || !sec_acl (acl, true, true, sid1, sid2, access2))
|
||||
return inherit ? &sec_none : &sec_none_nih;
|
||||
|
||||
if (!InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION))
|
||||
|
@ -906,7 +906,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
|
||||
goto out;
|
||||
|
||||
/* Create default dacl. */
|
||||
if (!sec_acl ((PACL) acl_buf, FALSE,
|
||||
if (!sec_acl ((PACL) acl_buf, false, false,
|
||||
tmp_gsids.contains (well_known_admins_sid) ?
|
||||
well_known_admins_sid : usersid))
|
||||
goto out;
|
||||
@ -926,7 +926,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
|
||||
else
|
||||
{
|
||||
/* Set security descriptor and primary group */
|
||||
psa = __sec_user (sa_buf, usersid, TRUE);
|
||||
psa = sec_user (sa_buf, usersid);
|
||||
if (psa->lpSecurityDescriptor &&
|
||||
!SetSecurityDescriptorGroup ((PSECURITY_DESCRIPTOR)
|
||||
psa->lpSecurityDescriptor,
|
||||
|
@ -256,9 +256,11 @@ SECURITY_DESCRIPTOR *__stdcall get_null_sd (void);
|
||||
|
||||
/* Various types of security attributes for use in Create* functions. */
|
||||
extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih;
|
||||
extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid2, BOOL inherit)
|
||||
extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid1, PSID sid2,
|
||||
DWORD access2, BOOL inherit)
|
||||
__attribute__ ((regparm (3)));
|
||||
extern BOOL sec_acl (PACL acl, BOOL admins, PSID sid1 = NO_SID, PSID sid2 = NO_SID);
|
||||
extern BOOL sec_acl (PACL acl, bool original, bool admins, PSID sid1 = NO_SID,
|
||||
PSID sid2 = NO_SID, DWORD access2 = 0);
|
||||
|
||||
int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len);
|
||||
BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len);
|
||||
@ -266,14 +268,14 @@ PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
|
||||
PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret);
|
||||
|
||||
extern inline SECURITY_ATTRIBUTES *
|
||||
sec_user_nih (char sa_buf[], PSID sid = NULL)
|
||||
sec_user_nih (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0)
|
||||
{
|
||||
return allow_ntsec ? __sec_user (sa_buf, sid, FALSE) : &sec_none_nih;
|
||||
return __sec_user (sa_buf, sid1, sid2, access2, FALSE);
|
||||
}
|
||||
|
||||
extern inline SECURITY_ATTRIBUTES *
|
||||
sec_user (char sa_buf[], PSID sid = NULL)
|
||||
sec_user (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0)
|
||||
{
|
||||
return allow_ntsec ? __sec_user (sa_buf, sid, TRUE) : &sec_none;
|
||||
return __sec_user (sa_buf, sid1, sid2, access2, TRUE);
|
||||
}
|
||||
#endif /*_SECURITY_H*/
|
||||
|
@ -2076,7 +2076,6 @@ seteuid32 (__uid32_t uid)
|
||||
user_groups &groups = cygheap->user.groups;
|
||||
HANDLE ptok, new_token = INVALID_HANDLE_VALUE;
|
||||
struct passwd * pw_new;
|
||||
cygpsid origpsid, psid2 (NO_SID);
|
||||
BOOL token_is_internal, issamesid;
|
||||
|
||||
pw_new = internal_getpwuid (uid);
|
||||
@ -2121,9 +2120,7 @@ seteuid32 (__uid32_t uid)
|
||||
if (cygheap->user.current_token != new_token)
|
||||
{
|
||||
char dacl_buf[MAX_DACL_LEN (5)];
|
||||
if (usersid != (origpsid = cygheap->user.orig_sid ()))
|
||||
psid2 = usersid;
|
||||
if (sec_acl ((PACL) dacl_buf, FALSE, origpsid, psid2))
|
||||
if (sec_acl ((PACL) dacl_buf, true, false, usersid))
|
||||
{
|
||||
TOKEN_DEFAULT_DACL tdacl;
|
||||
tdacl.DefaultDacl = (PACL) dacl_buf;
|
||||
@ -2171,7 +2168,7 @@ seteuid32 (__uid32_t uid)
|
||||
}
|
||||
|
||||
CloseHandle (ptok);
|
||||
issamesid = (usersid == (psid2 = cygheap->user.sid ()));
|
||||
issamesid = (usersid == cygheap->user.sid ());
|
||||
cygheap->user.set_sid (usersid);
|
||||
cygheap->user.current_token = new_token == ptok ? INVALID_HANDLE_VALUE
|
||||
: new_token;
|
||||
|
Loading…
Reference in New Issue
Block a user