Starting w/ the intro of S4U, seteuid32() calls lsaprivkeyauth(), then
s4uauth(). s4uauth calls LsaRegisterLogonProcess().
LsaRegisterLogonProcess fails w/ STATUS_PORT_CONNECTION_REFUSED, if the
proper privileges are not held.
Because of RtlNtStatusToDosError(), this status would be mapped to
ERROR_ACCESS_DENIED, which in turn would map to EACCES. Therefore it is
useless to add this status to errmap[] (errno.cc), as s4auauth() should
return EPERM as errno here (i.e. if process is not privileged).
Hence the kludge.
Before the intro of S4U, seteuid32() called lsaprivkeyauth(), then
lsaauth(), then create_token(). Before the intro of Vista, the latter
would have called NtCreateToken().
NtCreateToken() would have failed w/ STATUS_PRIVILEGE_NOT_HELD for a
process w/o the proper privileges. In that case, calling seteuid32()
would have returned EPERM (as required).
Since the intro of Vista, and if the process had been started from an
UNelevated shell, create_token() does NOT reach NtCreateToken()!
As create_token() failed to properly set errno in that case, calling
seteuid32() would return errno as set by lsaauth(), i.e. EACCES, not
in agreement w/ Posix (a bug which was present for years).
(lsaauth() called LsaRegisterLogonProcess() which would fail)
Revert "Cywin: user profile: unload impersonation user profile on exit"
Revert "Cygwin: seteuid: allow inheriting impersonation user profile handle"
Revert "Cygwin: user profile: add debug output to unload_user_profile"
Revert "Cygwin: user profile: Make an effort to unload unused user profiles"
This reverts commit bcb33dc4f0.
This reverts commit dd3730ed9c.
This reverts commit 8eee25241e.
This reverts commit 71b8777a71.
This patchset actually results in the following problem:
- After a couple of ssh logon/logoff attempts, an interactive session
of the same user loging in, is broken.
Apparently UnloadUserProfile manages to unload the user's profile
even while a parallel interactive session still uses the user's
profile.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
If the user domain is the primary domain, LDAP is supposed to
use the default naming context. This is accomplished by setting
domain name to NULL in the call to cyg_ldap::fetch_ad_account.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
...before calling any of its method. It's no safe bet that
it's already initialized when calling s4uauth and adding it
to load_user_profile certainly doesn't hurt.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
In case of a local machine account login, pi.lpProfilePath points
to the buffer returned by NetUserGetInfo, but NetApiBufferFree
is called prior to calling LoadUserProfileW. Fix by copying over
usri3_profile to the local userpath buffer, just as in the AD case.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This never really worked. While at it, restructure code to
do common stuff only in one spot. Improve debug output.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Does this work? There's not much feedback given.
TODO: We might want to try unloading the user profile at process
exit as well, FWIW.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Commit 649911fb40 avoids the
calls to NetUserGetGroups and NetUserGetLocalGroups since
these can take a lot of time. The same problem potentially
occurs when loading the user profile. The code fetches
the roaming profile path calling NetUserGetInfo, which also
can be rather slow.
To avoid this problem, fetch the profile patch using LDAP.
Also, don't bail out early if the user's registry hive already
exists. This may result in outdated information.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
NetUserGetGroups and NetUserGetLocalGroups sometimes take a lot of time
(up to more than 2 mins) for no apparent reason.
Call s4uauth to generate an identification token for the user and fetch
the group list from there. This is *much* faster.
Keep the old code only for the sake of WOW64 on Vista and Windows 7,
which don't implement MsV1_0S4ULogon.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
s4uath was only callable to create an impersonation token so
far. Rework the function to allow creating an identification
token for informational purposes even from untrusted processes.
Take domainname and username instead of a passwd pointer to be
more multi-purpose.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Up to Vista CreateProcessAsUser only worked with primary tokens,
so convert S4U impersonation token to primary token. MSDN still
documents it that way, but actually an impersonation token is
sufficient since Windows 7.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Under WOW64 on 64 bit Windows 7, MsV1_0S4ULogon appears to be
unimplemented, probably under Vista as well. Re-enable
create_token method, to allow basic seteuid on W7 WOW64 and
Vista as well.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
for domain accounts we try KerbS4ULogon first, MsV1_0S4ULogon
second. But we only fetch the package id for the supporting
authentication package (Kerberos/MsV1_0) once at the start.
Duplicate LsaLookupAuthenticationPackage call and move into the
Kerb/MsV1_0 branches so that it fetches the correct package id
for the method we call next.
Curious enough this worked before. Apparently both methods
work with the MICROSOFT_KERBEROS_NAME_A package id. However,
requesting and using the right authentication package id is
the prudent thing to do.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
- This simple and official method replaces cyglsa and "create token"
methods. No network share access, same as before.
- lsaauth and create_token are disabled now. If problems crop up,
they can be easily reactivated. If no problems crop up, they
can be removed in a while, together with the lsaauth subdir.
- Bump Cygwin version to 3.0.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The previous patch failed with password-less auth because in
that case the return code from get_server_groups wasn't tested.
Fix that. Also make sure that get_server_groups does not
check if the account is disabled or locked out when just fetching
the group list for initgroups or getgrouplist.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
So far seteuid could change uid to any existing account, given
sufficient permissions of the caller. This is kind of bad since
it disallows admins to refuse login to disabled or locked out
accounts.
Add check for the account's UF_ACCOUNTDISABLE or UF_LOCKOUT flags
and don't let the user in, if one of the flags is set.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
commit 67fd2101 introduced a bad bug. Changing sys_privs to a static
area and just returning a pointer is nice... *if* the calling code doesn't
call free() on it. Make sure callers check pointer for sys_privs and
refrain from calling free, if so.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Convert sys_privs to const struct with TOKEN_PRIVILEGES layout.
Drop function get_system_priv_list. Just use pointer to sys_privs.
Dropping max_sys_priv from wincaps requires to make sure that the
bitfield is 8 byte aligned on x86_64, otherwise gcc (5.3 only?)
apparently breaks access to the bitfield (off by 4 bytes).
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Bump GPLv2+ to GPLv3+ for some files, clarify BSD 2-clause.
Everything else stays under GPLv3+.
New Linking Exception exempts resulting executables from LGPLv3 section 4.
Add CONTRIBUTORS file to keep track of licensing.
Remove 'Copyright Red Hat Inc' comments.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
A user token can be up to 64K in size. The group list might take a lot
of that so use tmp_pathbuf allocated space rather than stack space
allocted via alloca. In create_token the TOKEN_GROUP was allocated via
malloc, but the code is needlessly complicated. Simplify by using
tmp_pathbuf as well.
* sec_auth.cc (verify_token): Allocate TOKEN_GROUP via tmp_pathbuf.
(create_token): Ditto.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
* sec_auth.cc (get_token_group_sidlist): Drop auth_luid and
auth_pos parameter. Remove code adding a logon SID.
(get_initgroups_sidlist): Drop auth_luid and auth_pos parameter.
Drop in call to get_token_group_sidlist. Accommodate in callers.
(get_setgroups_sidlist): Ditto.
(create_token): Explicitely set auth_luid to ANONYMOUS_LOGON_LUID
or LOCALSERVICE_LUID depending on OS. Explain why.
Remove handling of logon SID since we don't generate one anymore.
(lsaauth): Drop now unused local variable auth_luid and auth_pos.
* wincap.h (wincaps::has_broken_whoami): New element.
* wincap.cc: Implement above element throughout.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
If the calling process doesn't have sufficient privileges to
fetch the linked token of an admin-user token, cygwin_logon_user
fails. This patch changes that by returning the original,
unprivileged token of the admin user to allow authentication
and calling setuid for the current process.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
(LoadUserProfileW): Import.
* registry.cc (get_registry_hive_path): Move to sec_auth.cc.
(load_registry_hive): Remove.
* registry.h (get_registry_hive_path): Drop declaration.
(load_registry_hive): Ditto.
* sec_auth.cc (get_user_profile_directory): Moved from registry.cc and
renamed. Take third parameter with buffer length.
(load_user_profile): New function taking over for load_registry_hive.
Use official functions to load profile. If profile is missing, create
it on Vista and later.
* security.h (get_user_profile_directory): Declare.
(load_user_profile): Declare.
* syscalls.cc (seteuid32): Replace call to load_registry_hive with call
to load_user_profile.
* uinfo.cc (cygheap_user::env_userprofile): Replace call to
get_registry_hive_path with call to get_user_profile_directory.
(CID 60021).
* sec_auth.cc (cygwin_logon_user): Securely erase password copy.
(lsaprivkeyauth): Avoid trying to dereference data if no key is stored
in the registry (CID 60122). Securely erase passwords after usage.
non-builtin accounts.
* uinfo.cc (pwdgrp::fetch_account_from_windows): Check incoming
account name for validity in terms of the current name prefixing rules
and refuse invalid names.
J.H. van de Water
Corinna Vinschen