* cygheap.cc (cygheap_init): Accomodate set_process_privilege change.

* cygheap.h (cygheap_user::curr_primary_token): New member.
	(cygheap_user::primary_token): New method.
	(cygheap_user::deimpersonate): Always revert to processes'
	impersonation token.
	(cygheap_user::reimpersonate): Set processes' or setuid token as
	necessary.
	(cygheap_user::has_impersonation_tokens): Look for curr_primary_token
	value.
	(cygheap_user::close_impersonation_tokens): Close curr_primary_token
	here if necessary.  Don't reset token values to NO_IMPERSONATION since
	that's done in uinfo_init anyway.
	(init_cygheap::luid): New LUID array keeping privilege LUIDs.
	* cygtls.cc (_cygtls::init_thread): Call cygheap->user.reimpersonate.
	* dcrt0.cc (hProcToken): New global variable to keep process token.
	(hProcImpToken): Ditto for process impersonation token.
	(dll_crt0_0): Open process token here once.  Duplicate to create
	hProcImpToken.
	(dll_crt0_1): Call set_cygwin_privileges.
	* environ.cc (allow_ntea): Drop duplicate declaration.
	(allow_smbntsec): Ditto.
	(set_traverse): Only set allow_traverse here.
	(environ_init): Ditto.
	* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Drop call to
	enable_restore_privilege.
	(fhandler_disk_file::fchown): Ditto.
	(fhandler_disk_file::facl): Ditto.
	* fork.cc (fork_child): Move call to cygheap->user.reimpersonate after
	syn with parent. Call set_cygwin_privileges.
	* grp.cc (internal_getgroups): Use hProcImpToken instead of opening
	process token.
	* path.cc (fs_info::update): Bypass traverse checking when retrieving
	volume information using push/pop_thread_privileges.
	* registry.cc (load_registry_hive): Drop setting restore privilege
	since it's already set if available.
	* sec_helper.cc: Include cygtls.h.
	(cygpriv): Privilege string array.
	(privilege_luid): New function, evaluate LUID from cygpriv_idx.
	(privilege_luid_by_name): New function, evaluate LUID from privilege
	string.
	(privilege_name): New function, evaluate privilege string from
	cygpriv_idx.
	(set_privilege): New static function called by set_process_privilege
	and set_thread_privilege.  Call privilege_luid to get privilege LUID.
	Fix bug in return value evaluation. Improve debug output.
	(set_cygwin_privileges): New function.
	(set_process_privilege): Remove.
	(enable_restore_privilege): Remove.
	* security.cc (allow_traverse): New global variable.
	(sys_privs): Change type to cygpriv_idx and store privilege indices
	instead of strings.
	(SYSTEM_PRIVILEGES_COUNT): Renamed from SYSTEM_PERMISSION_COUNT.
	(get_system_priv_list): Don't use numerical constant in malloc call.
	Use privilege_luid to get privilege LUIDs.
	(get_priv_list): Call privilege_luid_by_name to get LUIDs. Improve
	inner privilege LUID comparison loop.
	(create_token): Enable create token privilege using
	push/pop_self_privileges. Use hProcToken instead of opening process
	token. Use default DACL when duplicating token.
	(subauth): Enable tcb privilege using push/pop_self_privileges.
	Use sec_none instead of homw made security attributes when duplicating
	token.
	(check_file_access): Don't duplicate access token, use active
	impersonation token as is.
	* security.h (enum cygpriv_idx): New enumeration type enumerating
	possible privileges.
	(privilege_luid): Declare new function.
	(privilege_luid_by_name): Ditto.
	(privilege_name): Ditto.
	(allow_traverse): Declare.
	(set_privilege): Declare function.
	(set_process_privilege): Define as macro.
	(enable_restore_privilege): Remove declaration.
	(_push_thread_privilege): Define macro.
	(push_thread_privilege): Ditto.
	(pop_thread_privilege): Ditto.
	(pop_self_privilege): Ditto.
	* spawn.cc (spawn_guts): Use cygheap->user.primary_token instead of
	cygheap->user.token.
	* syscalls.cc (statvfs): Bypass traverse checking when retrieving
	volume information using push/pop_thread_privileges. Rearrange code
	to simplify push/pop bracketing.
	(seteuid32): Use hProcToken instead of opening process token. Call
	cygheap->user.deimpersonate instead of RevertToSelf.  Create
	impersonation token from primary internal or external token.  Set
	cygheap->user.curr_primary_token and cygheap->user.current_token
	privileges once here.  Drop "failed" and "failed_ptok" labels.
	Drop setting DefaultDacl of process token.
	(setegid32): Use hProcToken and hProcImpToken instead of opening
	process token. Always reimpersonate afterwards.
	* uinfo.cc (cygheap_user::init): Use hProcToken instead of opening
	process token.
	(internal_getlogin): Ditto. Set hProcImpToken, too.
	(uinfo_init): Initialize cygheap->user.curr_primary_token.
	* winsup.h (hProcToken): Declare.
	(hProcImpToken): Declare.
This commit is contained in:
Corinna Vinschen
2005-04-03 13:06:43 +00:00
parent fe3e333661
commit f4a1f8a1db
18 changed files with 498 additions and 287 deletions

View File

@ -236,6 +236,46 @@ extern cygpsid well_known_authenticated_users_sid;
extern cygpsid well_known_system_sid;
extern cygpsid well_known_admins_sid;
/* Order must be same as cygpriv in sec_helper.cc. */
enum cygpriv_idx {
SE_CREATE_TOKEN_PRIV = 0,
SE_ASSIGNPRIMARYTOKEN_PRIV,
SE_LOCK_MEMORY_PRIV,
SE_INCREASE_QUOTA_PRIV,
SE_UNSOLICITED_INPUT_PRIV,
SE_MACHINE_ACCOUNT_PRIV,
SE_TCB_PRIV,
SE_SECURITY_PRIV,
SE_TAKE_OWNERSHIP_PRIV,
SE_LOAD_DRIVER_PRIV,
SE_SYSTEM_PROFILE_PRIV,
SE_SYSTEMTIME_PRIV,
SE_PROF_SINGLE_PROCESS_PRIV,
SE_INC_BASE_PRIORITY_PRIV,
SE_CREATE_PAGEFILE_PRIV,
SE_CREATE_PERMANENT_PRIV,
SE_BACKUP_PRIV,
SE_RESTORE_PRIV,
SE_SHUTDOWN_PRIV,
SE_DEBUG_PRIV,
SE_AUDIT_PRIV,
SE_SYSTEM_ENVIRONMENT_PRIV,
SE_CHANGE_NOTIFY_PRIV,
SE_REMOTE_SHUTDOWN_PRIV,
SE_CREATE_GLOBAL_PRIV,
SE_UNDOCK_PRIV,
SE_MANAGE_VOLUME_PRIV,
SE_IMPERSONATE_PRIV,
SE_ENABLE_DELEGATION_PRIV,
SE_SYNC_AGENT_PRIV,
SE_NUM_PRIVS
};
const LUID *privilege_luid (enum cygpriv_idx idx);
const LUID *privilege_luid_by_name (const char *pname);
const char *privilege_name (enum cygpriv_idx idx);
inline BOOL
legal_sid_type (SID_NAME_USE type)
{
@ -246,6 +286,7 @@ legal_sid_type (SID_NAME_USE type)
extern bool allow_ntea;
extern bool allow_ntsec;
extern bool allow_smbntsec;
extern bool allow_traverse;
/* File manipulation */
int __stdcall get_file_attribute (int, HANDLE, const char *, mode_t *,
@ -291,8 +332,37 @@ void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);
bool get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL);
/* sec_helper.cc: Security helper functions. */
int set_process_privilege (const char *privilege, bool enable = true, bool use_thread = false);
void enable_restore_privilege (void);
int set_privilege (HANDLE token, enum cygpriv_idx privilege, bool enable);
void set_cygwin_privileges (HANDLE token);
#define set_process_privilege(p,v) set_privilege (hProcImpToken, (p), (v))
#define _push_thread_privilege(_priv, _val, _check) { \
HANDLE _token = NULL, _dup_token = NULL; \
if (wincap.has_security ()) \
{ \
_token = (cygheap->user.issetuid () && (_check)) \
? cygheap->user.token () : hProcImpToken; \
if (!DuplicateTokenEx (_token, MAXIMUM_ALLOWED, NULL, \
SecurityImpersonation, TokenImpersonation, \
&_dup_token)) \
debug_printf ("DuplicateTokenEx: %E"); \
else if (!ImpersonateLoggedOnUser (_dup_token)) \
debug_printf ("ImpersonateLoggedOnUser: %E"); \
else \
set_privilege (_dup_token, (_priv), (_val)); \
}
#define push_thread_privilege(_priv, _val) _push_thread_privilege(_priv,_val,1)
#define push_self_privilege(_priv, _val) _push_thread_privilege(_priv,_val,0)
#define pop_thread_privilege() \
if (_dup_token) \
{ \
ImpersonateLoggedOnUser (_token); \
CloseHandle (_dup_token); \
} \
}
#define pop_self_privilege() pop_thread_privilege()
/* shared.cc: */
/* Retrieve a security descriptor that allows all access */