JehanneOS/newlib
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

* cygheap.h (class cygheap_user): Use INVALID_HANDLE_VALUE as invalid

Browse Source 
value for tokens.
	* syscalls.cc (seteuid32): Ditto.  Set new_token to process token if
	process token is suitable.
	* uinfo.cc (uinfo_init): Initialize tokens in cygheap user info
	to INVALID_HANDLE_VALUE.

	* cygheap.h (enum impersonation): Delete.
	(cygheap_user::impersonation_state): Delete.
	(cygheap_user::current_token): New.
	(cygheap_user::issetuid): Modify to use current_token.
	(cygheap_user::token): Ditto.
	(cygheap_user::deimpersonate): Ditto.
	(cygheap_user::reimpersonate): Ditto.
	(cygheap_user::has_impersonation_tokens): Ditto.
	(cygheap_user::close_impersonation_tokens): Ditto.
	* security.cc (cygwin_set_impersonation_token): Always set the token.
	(verify_token): Change type of gsid to cygpsid.
	(get_file_attribute): Use the effective ids.
	* syscalls.cc (seteuid32): Modify to use cygheap_user::current_token.
	* uinfo.cc (uinfo_init) Do not set cygheap->user.impersonation_state.
This commit is contained in:
Corinna Vinschen 2003-07-14 17:04:21 +00:00
parent 9ff631a70c
commit ea3ba11499
5 changed files with 106 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
winsup/cygwin/ChangeLog
View File

@ -1,3 +1,29 @@
2003-07-14 Corinna Vinschen <corinna@vinschen.de>
* cygheap.h (class cygheap_user): Use INVALID_HANDLE_VALUE as invalid
value for tokens.
* syscalls.cc (seteuid32): Ditto. Set new_token to process token if
process token is suitable.
* uinfo.cc (uinfo_init): Initialize tokens in cygheap user info
to INVALID_HANDLE_VALUE.
2003-07-14 Pierre Humblet <pierre.humblet@ieee.org>
* cygheap.h (enum impersonation): Delete.
(cygheap_user::impersonation_state): Delete.
(cygheap_user::current_token): New.
(cygheap_user::issetuid): Modify to use current_token.
(cygheap_user::token): Ditto.
(cygheap_user::deimpersonate): Ditto.
(cygheap_user::reimpersonate): Ditto.
(cygheap_user::has_impersonation_tokens): Ditto.
(cygheap_user::close_impersonation_tokens): Ditto.
* security.cc (cygwin_set_impersonation_token): Always set the token.
(verify_token): Change type of gsid to cygpsid.
(get_file_attribute): Use the effective ids.
* syscalls.cc (seteuid32): Modify to use cygheap_user::current_token.
* uinfo.cc (uinfo_init) Do not set cygheap->user.impersonation_state.
2003-07-12 Christopher Faylor <cgf@redhat.com> 2003-07-12 Christopher Faylor <cgf@redhat.com>
* pinfo.cc (_pinfo::commune_send): Fix bounds test so that poll of * pinfo.cc (_pinfo::commune_send): Fix bounds test so that poll of

47
winsup/cygwin/cygheap.h
View File

@ -92,14 +92,6 @@ enum homebodies
CH_HOME CH_HOME
}; };
enum impersonation
{
IMP_BAD = -1,
IMP_NONE = 0,
IMP_EXTERNAL,
IMP_INTERNAL
};
class cygheap_user class cygheap_user
{ {
/* Extendend user information. /* Extendend user information.
@ -125,7 +117,7 @@ public:
to `set_impersonation_token()'. */ to `set_impersonation_token()'. */
HANDLE external_token; HANDLE external_token;
HANDLE internal_token; HANDLE internal_token;
enum impersonation impersonation_state; HANDLE current_token;
/* CGF 2002-06-27. I removed the initializaton from this constructor /* CGF 2002-06-27. I removed the initializaton from this constructor
since this class is always allocated statically. That means that everything since this class is always allocated statically. That means that everything
@ -170,41 +162,40 @@ public:
PSID sid () const { return psid; } PSID sid () const { return psid; }
PSID orig_sid () const { return orig_psid; } PSID orig_sid () const { return orig_psid; }
const char *ontherange (homebodies what, struct passwd * = NULL); const char *ontherange (homebodies what, struct passwd * = NULL);
bool issetuid () const bool issetuid () const { return current_token != INVALID_HANDLE_VALUE; }
{ HANDLE token () { return current_token; }
return impersonation_state > IMP_NONE;
}
HANDLE token ()
{
if (impersonation_state == IMP_EXTERNAL)
return external_token;
if (impersonation_state == IMP_INTERNAL)
return internal_token;
return INVALID_HANDLE_VALUE;
}
void deimpersonate () void deimpersonate ()
{ {
if (impersonation_state > IMP_NONE) if (issetuid ())
RevertToSelf (); RevertToSelf ();
} }
void reimpersonate () void reimpersonate ()
{ {
if (impersonation_state > IMP_NONE if (issetuid ()
&& !ImpersonateLoggedOnUser (token ())) && !ImpersonateLoggedOnUser (token ()))
system_printf ("ImpersonateLoggedOnUser: %E"); system_printf ("ImpersonateLoggedOnUser: %E");
} }
bool has_impersonation_tokens () { return external_token || internal_token; } bool has_impersonation_tokens ()
{ return external_token != INVALID_HANDLE_VALUE
|| internal_token != INVALID_HANDLE_VALUE
|| current_token != INVALID_HANDLE_VALUE; }
void close_impersonation_tokens () void close_impersonation_tokens ()
{ {
if (external_token) if (current_token != INVALID_HANDLE_VALUE)
{
if( current_token != external_token && current_token != internal_token)
CloseHandle (current_token);
current_token = INVALID_HANDLE_VALUE;
}
if (external_token != INVALID_HANDLE_VALUE)
{ {
CloseHandle (external_token); CloseHandle (external_token);
external_token = 0; external_token = INVALID_HANDLE_VALUE;
} }
if (internal_token) if (internal_token != INVALID_HANDLE_VALUE)
{ {
CloseHandle (internal_token); CloseHandle (internal_token);
internal_token = 0; internal_token = INVALID_HANDLE_VALUE;
} }
} }
const char *cygheap_user::test_uid (char *&, const char *, size_t) const char *cygheap_user::test_uid (char *&, const char *, size_t)

17
winsup/cygwin/security.cc
View File

@ -69,18 +69,9 @@ extern "C" void
cygwin_set_impersonation_token (const HANDLE hToken) cygwin_set_impersonation_token (const HANDLE hToken)
{ {
debug_printf ("set_impersonation_token (%d)", hToken); debug_printf ("set_impersonation_token (%d)", hToken);
if (cygheap->user.impersonation_state == IMP_EXTERNAL
&& cygheap->user.external_token != hToken)
{
set_errno (EPERM);
return;
}
else
{
cygheap->user.external_token = hToken; cygheap->user.external_token = hToken;
return; return;
} }
}
void void
extract_nt_dom_user (const struct passwd *pw, char *domain, char *user) extract_nt_dom_user (const struct passwd *pw, char *domain, char *user)
@ -741,13 +732,13 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, BOOL *pintern)
if (intern && !groups.issetgroups ()) if (intern && !groups.issetgroups ())
{ {
char sd_buf[MAX_SID_LEN + sizeof (SECURITY_DESCRIPTOR)]; char sd_buf[MAX_SID_LEN + sizeof (SECURITY_DESCRIPTOR)];
PSID gsid = NO_SID; cygpsid gsid (NO_SID);
if (!GetKernelObjectSecurity (token, GROUP_SECURITY_INFORMATION, if (!GetKernelObjectSecurity (token, GROUP_SECURITY_INFORMATION,
(PSECURITY_DESCRIPTOR) sd_buf, (PSECURITY_DESCRIPTOR) sd_buf,
sizeof sd_buf, &size)) sizeof sd_buf, &size))
debug_printf ("GetKernelObjectSecurity(): %E"); debug_printf ("GetKernelObjectSecurity(): %E");
else if (!GetSecurityDescriptorGroup ((PSECURITY_DESCRIPTOR) sd_buf, else if (!GetSecurityDescriptorGroup ((PSECURITY_DESCRIPTOR) sd_buf,
&gsid, (BOOL *) &size)) (PSID *) &gsid, (BOOL *) &size))
debug_printf ("GetSecurityDescriptorGroup(): %E"); debug_printf ("GetSecurityDescriptorGroup(): %E");
if (well_known_null_sid != gsid) if (well_known_null_sid != gsid)
return gsid == groups.pgsid; return gsid == groups.pgsid;
@ -1414,9 +1405,9 @@ get_file_attribute (int use_ntsec, const char *file,
} }
if (uidret) if (uidret)
*uidret = getuid32 (); *uidret = myself->uid;
if (gidret) if (gidret)
*gidret = getgid32 (); *gidret = myself->gid;
if (!attribute) if (!attribute)
return 0; return 0;

73
winsup/cygwin/syscalls.cc
View File

@ -2058,7 +2058,6 @@ seteuid32 (__uid32_t uid)
HANDLE ptok, new_token = INVALID_HANDLE_VALUE; HANDLE ptok, new_token = INVALID_HANDLE_VALUE;
struct passwd * pw_new; struct passwd * pw_new;
PSID origpsid, psid2 = NO_SID; PSID origpsid, psid2 = NO_SID;
enum impersonation new_state = IMP_BAD;
BOOL token_is_internal; BOOL token_is_internal;
pw_new = internal_getpwuid (uid); pw_new = internal_getpwuid (uid);
@ -2079,31 +2078,29 @@ seteuid32 (__uid32_t uid)
/* Verify if the process token is suitable. */ /* Verify if the process token is suitable. */
if (verify_token (ptok, usersid, groups)) if (verify_token (ptok, usersid, groups))
new_state = IMP_NONE; new_token = ptok;
/* Verify if a current token is suitable */ /* Verify if the external token is suitable */
else if (cygheap->user.external_token else if (cygheap->user.external_token != INVALID_HANDLE_VALUE
&& verify_token (cygheap->user.external_token, usersid, groups)) && verify_token (cygheap->user.external_token, usersid, groups))
{
new_token = cygheap->user.external_token; new_token = cygheap->user.external_token;
new_state = IMP_EXTERNAL; /* Verify if the current token (internal or former external) is suitable */
} else if (cygheap->user.current_token != INVALID_HANDLE_VALUE
else if (cygheap->user.internal_token && cygheap->user.current_token != cygheap->user.external_token
&& verify_token (cygheap->user.current_token, usersid, groups,
&token_is_internal))
new_token = cygheap->user.current_token;
/* Verify if the internal token is suitable */
else if (cygheap->user.internal_token != INVALID_HANDLE_VALUE
&& cygheap->user.internal_token != cygheap->user.current_token
&& verify_token (cygheap->user.internal_token, usersid, groups, && verify_token (cygheap->user.internal_token, usersid, groups,
&token_is_internal)) &token_is_internal))
{
new_token = cygheap->user.internal_token; new_token = cygheap->user.internal_token;
new_state = IMP_INTERNAL;
}
debug_printf ("New token %d, state %d", new_token, new_state); debug_printf ("Found token %d", new_token);
/* Return if current token is valid */
if (cygheap->user.impersonation_state == new_state)
{
cygheap->user.reimpersonate ();
goto success; /* No change */
}
/* Set process def dacl to allow access to impersonated token */ /* Set process def dacl to allow access to impersonated token */
if (cygheap->user.current_token != new_token)
{
char dacl_buf[MAX_DACL_LEN (5)]; char dacl_buf[MAX_DACL_LEN (5)];
if (usersid != (origpsid = cygheap->user.orig_sid ())) if (usersid != (origpsid = cygheap->user.orig_sid ()))
psid2 = usersid; psid2 = usersid;
@ -2116,11 +2113,12 @@ seteuid32 (__uid32_t uid)
debug_printf ("SetTokenInformation" debug_printf ("SetTokenInformation"
"(TokenDefaultDacl): %E"); "(TokenDefaultDacl): %E");
} }
}
if (new_state == IMP_BAD)
{
/* If no impersonation token is available, try to /* If no impersonation token is available, try to
authenticate using NtCreateToken () or subauthentication. */ authenticate using NtCreateToken () or subauthentication. */
if (new_token == INVALID_HANDLE_VALUE)
{
new_token = create_token (usersid, groups, pw_new); new_token = create_token (usersid, groups, pw_new);
if (new_token == INVALID_HANDLE_VALUE) if (new_token == INVALID_HANDLE_VALUE)
{ {
@ -2130,15 +2128,12 @@ seteuid32 (__uid32_t uid)
if (new_token == INVALID_HANDLE_VALUE) if (new_token == INVALID_HANDLE_VALUE)
goto failed; goto failed;
} }
new_state = IMP_INTERNAL; /* Keep at most one internal token */
if (cygheap->user.internal_token != INVALID_HANDLE_VALUE)
CloseHandle (cygheap->user.internal_token);
cygheap->user.internal_token = new_token;
} }
else if (new_token != ptok)
/* If using the token, set info and impersonate */
if (new_state != IMP_NONE)
{
/* If the token was explicitly created, all information has
already been set correctly. */
if (new_state == IMP_EXTERNAL)
{ {
/* Try setting owner to same value as user. */ /* Try setting owner to same value as user. */
if (!SetTokenInformation (new_token, TokenOwner, if (!SetTokenInformation (new_token, TokenOwner,
@ -2152,26 +2147,12 @@ seteuid32 (__uid32_t uid)
debug_printf ("SetTokenInformation(user.token, " debug_printf ("SetTokenInformation(user.token, "
"TokenPrimaryGroup): %E"); "TokenPrimaryGroup): %E");
} }
/* Try to impersonate. */
if (!ImpersonateLoggedOnUser (new_token))
{
debug_printf ("ImpersonateLoggedOnUser %E");
__seterrno ();
goto failed;
}
/* Keep at most one internal token */
if (new_state == IMP_INTERNAL)
{
if (cygheap->user.internal_token)
CloseHandle (cygheap->user.internal_token);
cygheap->user.internal_token = new_token;
}
}
cygheap->user.set_sid (usersid);
success:
CloseHandle (ptok); CloseHandle (ptok);
cygheap->user.impersonation_state = new_state; cygheap->user.set_sid (usersid);
cygheap->user.current_token = new_token == ptok ? INVALID_HANDLE_VALUE
: new_token;
cygheap->user.reimpersonate ();
success_9x: success_9x:
cygheap->user.set_name (pw_new->pw_name); cygheap->user.set_name (pw_new->pw_name);
myself->uid = uid; myself->uid = uid;

4
winsup/cygwin/uinfo.cc
View File

@ -122,7 +122,9 @@ uinfo_init ()
cygheap->user.orig_uid = cygheap->user.real_uid = myself->uid; cygheap->user.orig_uid = cygheap->user.real_uid = myself->uid;
cygheap->user.orig_gid = cygheap->user.real_gid = myself->gid; cygheap->user.orig_gid = cygheap->user.real_gid = myself->gid;
cygheap->user.impersonation_state = IMP_NONE; cygheap->user.external_token = INVALID_HANDLE_VALUE;
cygheap->user.internal_token = INVALID_HANDLE_VALUE;
cygheap->user.current_token = INVALID_HANDLE_VALUE;
cygheap->user.set_orig_sid (); /* Update the original sid */ cygheap->user.set_orig_sid (); /* Update the original sid */
} }