Commit Graph

735 Commits

Author SHA1 Message Date
Corinna Vinschen dd3730ed9c Cygwin: seteuid: allow inheriting impersonation user profile handle
The child process needs access to the handle to be able to
unload it when switching user context.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-23 20:48:59 +01:00
Corinna Vinschen 71b8777a71 Cygwin: user profile: Make an effort to unload unused user profiles
Does this work?  There's not much feedback given.

TODO: We might want to try unloading the user profile at process
exit as well, FWIW.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-23 17:30:44 +01:00
Corinna Vinschen 13b1f9c0d1 Cygwin: seteuid32: don't use INVALID_HANDLE_VALUE
NULL is the natural state of an unused handle

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-23 17:24:05 +01:00
Corinna Vinschen 105fbdebdd Cygwin: s4uauth: allow to be called for identification only
s4uath was only callable to create an impersonation token so
far.  Rework the function to allow creating an identification
token for informational purposes even from untrusted processes.

Take domainname and username instead of a passwd pointer to be
more multi-purpose.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-22 21:58:51 +01:00
Corinna Vinschen e53373bbdb Cygwin: re-enable create_token for older systems
Under WOW64 on 64 bit Windows 7, MsV1_0S4ULogon appears to be
unimplemented, probably under Vista as well.  Re-enable
create_token method, to allow basic seteuid on W7 WOW64 and
Vista as well.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-18 21:00:59 +01:00
Michael Haubenwallner 8ddb1f60c8 forkables: Create forkable hardlinks, yet unused.
In preparation to protect fork() against dll- and exe-updates, create
hardlinks to the main executable and each loaded dll in subdirectories
of /var/run/cygfork/, if that one exists on the NTFS file system.

The directory names consist of the user sid, the main executable's NTFS
IndexNumber, and the most recent LastWriteTime of all involved binaries
(dlls and main executable).  Next to the main.exe hardlink we create the
empty file main.exe.local to enable dll redirection.

The name of the mutex to synchronize hardlink creation/cleanup also is
assembled from these directory names, to allow for synchronized cleanup
of even orphaned hardlink directories.

The hardlink to each dynamically loaded dll goes into another directory,
named using the NTFS IndexNumber of the dll's original directory.

	* Makefile.in (DLL_OFILES): Add forkable.o.
	* dll_init.h (struct dll): Declare member variables fbi, fii,
	forkable_ntname.  Declare methods nominate_forkable,
	create_forkable.
	(struct dll_list): Declare enum forkables_needs.  Declare member
	variables forkables_dirx_size, forkables_dirx_ntname,
	forkables_mutex_name, forkables_mutex.  Declare private methods
	forkable_ntnamesize, prepare_forkables_nomination,
	update_forkables_needs, update_forkables, create_forkables,
	denominate_forkables, close_mutex, try_remove_forkables,
	set_forkables_inheritance, request_forkables.  Declare public
	static methods ntopenfile, read_fii, read_fbi.  Declare public
	methods release_forkables, cleanup_forkables.  Define public
	inline method setup_forkables.
	* dll_init.cc (dll_list::alloc): Allocate memory to hold the
	name of the hardlink in struct dll member forkable_ntname.
	Initialize struct dll members fbi, fii.
	(dll_list::load_after_fork): Call release_forkables method.
	* fork.cc: Rename public fork function to static dofork, add
	with_forkables as bool pointer parameter.  Add new fork function
	calling dofork.  (struct frok): Add bool pointer member
	with_forkables, add as constructor parameter.
	(frok::parent): Call dlls.setup_forkables before CreateProcessW,
	dlls.release_forkables afterwards.
	* pinfo.cc (pinfo::exit): Call dlls.cleanup_forkables.
	* syscalls.cc (_unlink_nt): Rename public unlink_nt function to
	static _unlink_nt, with 'shareable' as additional argument.
	(unlink_nt): New, wrap _unlink_nt for original behaviour.
	(unlink_nt_shareable): New, wrap _unlink_nt to keep a binary
	file still loadable while removing one of its hardlinks.
	* forkable.cc: New file.
	Implement static functions mkdirs, rmdirs, rmdirs_synchronized,
	stat_real_file_once, format_IndexNumber, rootname, sidname,
	exename, lwtimename.  Define static array forkable_nameparts.
	(struct dll): Implement nominate_forkable, create_forkable.
	(struct dll_list): Implement static methods ntopenfile,
	read_fii, read_fbi.  Implement forkable_ntnamesize,
2019-02-07 15:58:02 +01:00
Corinna Vinschen 9fa22dba55 Cygwin: unlink: allow fallback from POSIX to default method
Trying to delete in-use executables and DLLs using
FILE_DISPOSITION_POSIX_SEMANTICS returns STATUS_CANNOT_DELETE.
Fall back to the former method if that error occurs to allow
unlinking these files.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-06 21:17:35 +01:00
Corinna Vinschen 5628399c84 Cygwin: proc fd: fix handling of pipes, sockets, etc
The symlink target of /proc/PID/fd files pointing to pipes and
sockets are just artificial filenames referencing the object using
some internal number.  The pipe open code expects a path specifying
process pid and the internal number so it access the right process
and pipe.

- Set the posix path of the pipe to the simple pipe name only,
  as it shows up in /proc/PID/fd.  A /proc/self prefix is just
  as wrong as a /dev/fd prefix.

- Revert thinko in fhandler_pipe::open expecting the name as
  /proc/self/fd/...  In fact this should never happen.

- Fix up the path before re-opening the pipe instead.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-05 15:32:08 +01:00
Corinna Vinschen 1f6340aa8b Cygwin: proc fd: pass along open mode when reopening file
The reopen code neglected to pass along the requested open
mode correctly.  This may end up reopening the file with
incorrect access mask, or duplicating the wrong pipe handle.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-05 15:20:13 +01:00
Corinna Vinschen 0fb497165f Cygwin: seteuid: use Kerberos/MsV1_0 S4U authentication by default
- This simple and official method replaces cyglsa and "create token"
  methods.  No network share access, same as before.

- lsaauth and create_token are disabled now.  If problems crop up,
  they can be easily reactivated.  If no problems crop up, they
  can be removed in a while, together with the lsaauth subdir.

- Bump Cygwin version to 3.0.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-26 19:41:03 +01:00
Corinna Vinschen 0e3fd33321 Cygwin: create_token: Return NULL, not INVALID_HANDLE_VALUE
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-26 12:42:38 +01:00
Corinna Vinschen 3a1ed0ef70 Cygwin: syscalls.cc: fix formatting
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-26 12:42:38 +01:00
Corinna Vinschen 5275b3e3f2 Cygwin: wincap: split has_posix_file_info
While FileRenameInformationEx is defined starting with Windows
10 1709 per MSDN, it only starts working in W10 1809, apparently.
Users of 1803 report "Function not implemented".

Introduce wincap_10_1809 and change the version check in
wincapc::init accordingly.  Split has_posix_file_info into
has_posix_unlink_semantics and has_posix_rename_semantics.
Enable the latter only starting with W10 1809.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-14 20:38:24 +01:00
Corinna Vinschen fbd3835384 Cygwin: try_to_bin: don't check recycler filename all the time
So far we check the recycler name all the time, and the last interation
also only managed to handle two ways to write the recycler.  However,
an adventurous user might change the case of the recycler arbitrarily.

Fix this problem by keeping track of the name in a somewhat relaxed
fashion.  Use camel back on drive C by default, all upper case elsewhere.
Only if the rename op fails do we fix the recycler name on the fly
when trying to create it, and it turns out it already existed.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-09 21:48:43 +01:00
Corinna Vinschen b7a6d357ee Cygwin: try_to_bin: fix rootdir handle after reopening
If the first rename fails, we reopen the rootdir for creating a subdir.
The rootdir handle can change its value at this point, but the code
doesn't take this into account.  The subsequent rename then fails with
STATUS_INVALID_HANDLE.  Fix this by copying the new rootdir value to
pfri->RootDirectory.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-09 21:48:43 +01:00
Corinna Vinschen ec457e0351 Cygwin: rename: use FILE_RENAME_POSIX_SEMANTICS if available
starting with W10 1709 on local NTFS drives

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-09 15:47:43 +01:00
Corinna Vinschen 15094d5d01 Cygwin: rename: rename incoming flags argument to at2flags
Avoid name confusion with later used flags variable

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-09 14:45:37 +01:00
Corinna Vinschen dee6cb133a Cygwin: try_to_bin: don't reopen the file
So far we reopened the file if it was opened case sensitive to
workaround the problem that the recycler could be named in
camel back or all upper case, depending on who created it.
That's a problem for O_TMPFILE on pre-W10.  As soon as the
original HANDLE gets closed, delete-on-close is converted to full
delete disposition and all useful operations on the file cease to
work (STATUS_ACCESS_DENIED or STATUS_FILE_DELETED).

To avoid that problem drop the reopen code and check for the exact
recycler filename, either $Recycle.Bin or $RECYCLE.BIN, if the file
has been opened case sensitive.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-08 21:47:28 +01:00
Corinna Vinschen 9443efe099 Cygwin: linkat: support Linux-specific AT_EMPTY_PATH flag
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-07 19:36:37 +01:00
Corinna Vinschen b93022a82d Cygwin: open: support Linux-specific O_PATH flag
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-07 19:35:00 +01:00
Corinna Vinschen 91ca95ae4a Cygwin: rename pipe.cc to fhandler_pipe.cc
move pipe syscalls to syscalls.cc

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-07 12:31:28 +01:00
Corinna Vinschen 7aca27b4fe Cygwin: introduce fhandler_process_fd and add stat(2) handling
move special fd symlink code into own fhandler_process_fd class
to simplify further additions to /proc/PID/fd/DESCRIPTOR symlink
handling.

Add a method to handle stat(2) on such a proc fd symlink by handle.
This allows correct reply from stat(2) if the target file has been
deleted.  This eventually fixes `awk -f /dev/fd/3 3<<eof'.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-06 20:30:14 +01:00
Corinna Vinschen ba12614f79 Cygwin: path_conv: add PATH_RESOLVE_PROCFD path_types flag
path_conv now sets the PATH_RESOLVE_PROCFD flag in path_flags if
the PC_SYM_NOFOLLOW_PROCFD pathconv_arg flag has been set on input
*and* the file is actually a proc fd symlink.

Add matching path_conv::follow_fd_symlink method for checking and
use it in open(2).

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-06 20:30:14 +01:00
Corinna Vinschen 7dbe307e38 Cygwin: Move O_TMPFILE to bin and allow linkat by handle
Along the same lines as the previous patch: By reopening an
O_TMPFILE by handle, we can now move the file to the bin at
open time and thus free'ing up the parent dir and *still*
open the file as /proc/PID/fd/DESCRIPTOR by linkat(2).
2019-01-06 20:30:14 +01:00
Corinna Vinschen a1a750325e Cygwin: try_to_bin: allow to move O_TMPFILE files into bin
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-06 20:30:14 +01:00
Corinna Vinschen 732613f30a Cygwin: implement /proc/PID/fd/DESCRIPTOR reopening by handle
Allows expressions along the lines of `cat /proc/self/fd/0 <<EOF'.
The problem here is that the temporary file used for the here script
has already been deleted by the shell.  Opening by filename, as
implemented so far, doesn't work because the file has been moved
to the bin.

Allow reopening files by handle the same way from another process
as long as we have sufficient permissions on the foreign process.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-06 20:30:14 +01:00
Corinna Vinschen 36ff506ddc Cygwin: try_to_bin: fix typos in comments
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-05 11:32:23 +01:00
Corinna Vinschen 34d9bb7093 Cygwin: drop disabled O_TMPFILE POSIX unlink code
The commit message of commit 07e0a9584f
and the expectation set therein, are wrong.

There's no POSIX semantics allowing to link a file with a link
count of 0 and making it available in the file system again.
In fact, the Linux linkat extension AT_EMPTY_PATH explicitely
disallows to link a file descriptor to a file with a link count
of 0, except for O_TMPFILE without O_EXCL.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-04 11:01:47 +01:00
Corinna Vinschen 07e0a9584f Cygwin: open(2): Change comment in disabled O_TMPFILE POSIX unlink code
- Turns out, the definition of POSIX unlink semantics is half-hearted
  so far: It's not possible to link an open file HANDLE if it has
  been deleted with POSIX semantics, nor is it possible to remove
  the delete disposition.  This breaks linkat on an O_TMPFILE.

  Tested with W10 1809.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2018-12-26 22:16:59 +01:00
Corinna Vinschen a7f392686b Cygwin: utilize FILE_DISPOSITION_POSIX_SEMANTICS
- short-circuit most code in unlink_nt since it's not necessary
  anymore if FILE_DISPOSITION_POSIX_SEMANTICS is supported.

- Immediately remove O_TMPFILE from filesystem after creation.
  Disable code for now because we have to implement /proc/self/fd
  opening by handle first, lest linkat fails.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2018-12-23 21:36:42 +01:00
Corinna Vinschen 65267a9a34 Cygwin: move transaction helpers into ntdll.h
We'll need them elsewhere in future.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de
2018-03-01 16:51:12 +01:00
Corinna Vinschen 7ae89fe708 Cygwin: path_conv: rename is_rep_symlink to is_known_reparse_point
...in preparation of reusing this flag for other types of
reparse points, not only symlinks.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2018-03-01 16:41:45 +01:00
Corinna Vinschen 76f06705be cygwin: convert most #ifndef __x86_64__ to #ifdef __i386__
Address the real offender

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-11-27 14:36:06 +01:00
Corinna Vinschen 0aa99373c1 Cygwin: fcntl.h: Define O_TMPFILE and implement it
Difference to Linux: We can't create files which don't show up
in the filesystem due to OS restrictions.  As a kludge, make a
(half-hearted) attempt to hide the file in the filesystem.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-11-14 21:45:25 +01:00
Corinna Vinschen f94fe74aad Cygwin: open: cleanup code in preparation of O_TMPFILE
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-11-14 16:30:44 +01:00
Corinna Vinschen ad15b8ccee cygwin: ftruncate64: add missing braces
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-11-02 19:13:09 +01:00
Erik M. Bray 94854321bb posix_fallocate() *returns* error codes but does not set errno
Also updates the fhandler_*::ftruncate implementations to adhere to the same
semantics.  The error handling semantics of those syscalls that use
fhandler_*::ftruncate are moved to the implementations of those syscalls (
in particular ftruncate() and friends still set errno and return -1 on error
but that logic is handled in the syscall implementation).
2017-11-02 18:01:01 +01:00
Erik M. Bray 8c8cdd9ad7 posix_fadvise() *returns* error codes but does not set errno
Also updates the fhandler_*::fadvise implementations to adhere to the same
semantics.
2017-11-02 17:58:18 +01:00
Corinna Vinschen 88cfcda06b cygwin: unlink: workaround NFS non-ability to move file in certain cases
Under some not quite clear conditions, NFS fails to use its
unlink workaround to rename a file to ".nfsXYZ".  The problem has been
reproduced with the GAWK testext.awk testcase.  To workaround this in
Cygwin, we now call try_to_bin on NFS, too.  For some reason NFS doesn't
fail to rename the .cygXYZ file to .nfsXYZ after this Cygwin rename.
Fix comment in unlink_nt accordingly.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-10-18 16:27:17 +02:00
Corinna Vinschen 5b7921523d cygwin: unlink: don't try "final trick" in try_to_bin on NFS
Doesn't work.  Just another STATUS_SHARING_VIOLATION.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-10-18 16:22:14 +02:00
Corinna Vinschen e6c79e7a2a cygwin: unlink: fix "final trick" overwrite method on remote drives
The "final trick" code in try_to_bin accidentally never worked on
remote drives because it relies on rootdir.  Which isn't set for
remote unlinks.  The code now creates a full path for remote files.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-10-18 16:21:12 +02:00
Corinna Vinschen 3dda58f157 cygwin: unlink: improve debug messages in try_to_bin
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-10-18 16:18:12 +02:00
Corinna Vinschen 9ac4c0325f cygwin: unlink: simplify rootdir handling
In try_to_bin, rootdir is NULL for remote drives anyway.  No extra
check required.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-10-18 16:15:08 +02:00
Corinna Vinschen 5224eb7517 cygwin: unlink: drop redundant check for netapp FS
The try_to_bin function isn't called for netapp FSes anyway, so testing
for this FS type in the function is moot.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-10-18 16:13:48 +02:00
Corinna Vinschen 7127e8ef3b cygwin: unlink: Fix typos in comments
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-10-18 16:12:42 +02:00
Ken Brown f665b1cef3 cygwin: Implement renameat2
Define the RENAME_NOREPLACE flag in <cygwin/fs.h> as defined on Linux
in <linux/fs.h>.  The other RENAME_* flags defined on Linux are not
supported.
2017-08-19 18:06:49 +02:00
Sebastian Huber 461152e4eb Add ffsl(), ffsll(), fls(), flsl(), flsll()
Use compiler builtin for ffs().  Remove duplicate implementation from
Cygwin.

Signed-off-by: Sebastian Huber <sebastian.huber@embedded-brains.de>
2017-07-05 13:49:48 +02:00
Corinna Vinschen 1a942680bf cygwin: scandirat: fix path given to scandir
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-07-04 15:11:06 +02:00
Corinna Vinschen fa4fcf7373 cygwin: Do not generate surrogate chars on netapp
Just like Samba, Netapp FSes seem to dislike invalid surrogate usage in
filenames.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-03-24 20:52:25 +01:00
Corinna Vinschen 6ed4753e77 rename: Refactor "new file already exists and rename fails" case
If newfile already exists and is in use, trying to overwrite it with
NtSetInformationFile(FileRenameInformation) fails exactly as if we
don't have the permissions to delete it.  Unfortunately the return code
is the same STATUS_ACCESS_DENIED, so we have no way to distinguish
these cases.  What we do here so far is to start a transaction to delete
newfile.  If this open fails with a transactional error we stop the
transaction and retry opening the file without transaction.

But, here's the problem: If newfile is in use, NtOpenFile(oldfile)
naturally does NOT fail with a transactional error.  Rather, the
subsequent call to unlink_nt(newfile) does, because there's another
handle open to newfile outside a transaction.  However, the code does
not check if unlink_nt fails with a transactional error and so fails
to retry without transaction.

This patch recifies the problem and checks unlink_nt's status as well.

Refactor code to get rid of goto into another code block.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-01-12 22:42:11 +01:00