This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
At 06:38 PM 12/30/01 +0100, Corinna Vinschen wrote: >On Sun, Dec 30, 2001 at 11:26:15AM -0500, Pierre A. Humblet wrote: >> At 11:15 PM 12/29/01 +0100, Corinna Vinschen wrote: >> While I am at it, here is another weird observation: >> base case above: prog reads some registry key. Succeeds. >> cases 1 and 2: prog reads some registry key. Access denied. >> But if xxx has admins privilege, prog can read the registry in >> cases 1 and 2... >> Can this be explained somehow? It's all on a standalone Win2000. > >Hmm, some debgging would help here, perhaps. > Hi Corinna Well, I had to learn a few things to track this one. Please cc me directly. Sorry about the length. What follows was observed on NT 4, it's somewhat different on Windows 2000. The keys are related to the perflib, e.g. "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\009" and others. Initially I thought that the error 5 ERROR_ACCESS_DENIED meant that, following setuid(), the user did not have query access to the key, even though he could open it without problems. This guess was wrong. The real problem is that following setuid(), the ACL (not default ACL) of the impersonation token (which is inherited from the default ACL of the process token) makes the impersonation token non-accessible by its user (normally the user has full access to its token, and it seems that setuid() should preserve that). ERROR_ACCESS_DENIED is thus generated when some Microsoft code tries to access the token while getting the key. This is demonstrated in the debug.out attachment where I print the impersonation token, try to access the key (fail), then clear the token ACL and succeed reading the key. I tried to patch security.cc, without success. In the attached diff file I set an acl (actually I reuse your default ACL) in a security descriptor "sd". sd is pointed to by your security attribute "sa", which is passed to DuplicateTokenEx() in create_token(). I also added a new call to SetKernelObjectSecurity(), for good measure. This runs without errors, but nothing happens. I have no idea why. Any help or suggestions will be appreciated. Here are four other things I noticed: 1) If setuid(gid) with a gid that doesn't exist, the system silently sets the gid to "administrators". That is not fail safe! The problem is that getgrgid() never fails. It should have a flag to tell it whether it should default or not. [The default is fine when specifying a SET_ACCESS ACE] 2) my_token isn't closed in create_token() 3) Why is it necessary to set the PrimaryGroup in the process token in setegid()? (That can fail silently). Is that field ever read? I thought that PrimaryGroup only needs to be set in impersonation tokens, so that seteuid() can decide if an existing token can be reused. 4) If in "cygrunsrv -u user ..." the Cygwin and Windows user names differ, then the process will have the wrong uid. Entry in passwd (note Cygwin name != Windows name) exim:unused_by_nt/2000/xp:1002:1005:daemon,U-PHumblet\Mail,S-1-5-21-21273915 03-1594901184-99485923-1002:/h ome/Mail:/bin/bash /> cygrunsrv -I test -u mail -e CYGWIN=ntsec -p /a.exe Enter password of user `.\mail': Reenter, please: /> cygrunsrv -S test /> head /var/log/test.log CYGWIN = ntsec USERNAME = UNDEF UID = 500 GID = 513 PID = 619 <==INCORRECT UID/GID /******************* Token Start ****************************/ /******************* Token User */ Mail PHumblet SidTypeUser <=== CORRECT USER S-1-5-21-2127391503-1594901184-99485923-1002 <=== CORRECT SID Changed entry in passwd mail:unused_by_nt/2000/xp:1002:1005:daemon,U-PHumblet\Mail,S-1-5-21-21273915 03-1594901184-99485923-1002:/home/Mail:/bin/bash /> cygrunsrv -S test /> head /var/log/test.log CYGWIN = ntsec USERNAME = UNDEF UID = 1002 GID = 1005 PID = 654 <== EVERYTHING OK /******************* Token Start ****************************/ /******************* Token User */ Mail PHumblet SidTypeUser S-1-5-21-2127391503-1594901184-99485923-1002 Pierre
Attachment:
security.diff
Description: Text document
Attachment:
debug.out
Description: Text document
-- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |