This is the mail archive of the
mailing list for the Cygwin project.
Re: PATCH: login under privileged user != SYSTEM
Corinna Vinschen wrote:
On Apr 17 01:48, Charles Wilson wrote:
With these changes, I can now get passwordless rlogin when inetd is running
under a privileged user, and not SYSTEM.
Most of the code was adapted from editrights/main.c...
Cool, thanks! Would you mind to take over login maintainance, too? It
was always just the wagging tail of inetutils anyway...
Other than that, I'd like to suggest a few minor changes to the patch:
- The SeServiceLogonRight doesn't have to be tested, IMHO. It doesn't
have anything to do with user account switching.
- I don't understand why NT4 is handled specially by only checking for the
uid while 2K and XP get the additional account check if necessary. None
of the functions are new with 2K, they all exists since NT 3.51.
I initially thought the program flow would be rather awkward, to make NT
act like 2k/xp -- and I just didn't care much for NT. But after I
finished coding I should have noticed that it would really be quite
simple to do that. But I didn't.
- I wouldn't do the automatic yes for uid 18 anymore. Even for NT/2K/XP
it would be more correct to check if the current account running the
process is the one with SID S-1-5-18.
But that's not exactly what you want, here. Sometimes, login.c does
which could be replaced as you suggest. But *most* of the time, login.c does
before it has actually switched to that user.
And saying that isROOTUID(uid) ==
is overkill -- especially as I want "isROOTUID(uid)" to work even if the
current user does NOT have the privileges needed for setuid() to work.
Given that there's already
so much code for Windows specific privilege checking, I don't think
it hurts a lot to add something along the lines of
AllocateAndInitializeSid (SECURITY_NT_AUTHORITY, 1, 18, ..., &system_sid);
token = OpenProcessToken (GetCurrentProcess ());
user_sid = GetTokenInformation(token, TOKEN_USER);
if (EqualSid (user_sid, system_sid))
I implemented something along these lines. After creating several
building block functions, I wrapped it all up into:
extern int currentUserIsLocalSystem();
extern int currentUserIsMemberOfLocalAdministrators();
These two use OpenProcessToken/GetTokenInformation as you suggested.
However, the one I really use is:
extern int uidIsLocalSystem(uid_t uid);
And I wish I could have figured out how to make
uidIsMemberOfLocalAdmin(uid_t uid), but if uid != current user it's
really hard to get the either (a) the list of groups a particular user
is a member of, or (b) the list of users that are members of a
particular group. Since I already have a make-SID-from-uid method, if I
had (a) I could iterate that list trying to match the local
Administrators SID, or if I had (b) I could iterate through the list and
compare to my SID-from-uid.
I know there is NetUserGetLocalGroups, but what if the user is a member
of a global group, and the local security policy makes that global group
a member of the (local) Administrators group? With the multi-level
inclusion of groups, it's almost easier to go the other way: get the
local administrator group, and use (recursively) NetLocalGroupGetMembers
and NetGroupGetUsers to build a list of all users that are (directly or
by inclusion) members of the (local) Administrators group -- and THEN
iterate that to see if any of them match SID-from-uid.
But neither is easy.
==== end aside
So, I'm still not checking that the uid specified is a member of the
local Administrators group.
I did discover one awkward thing: in my make-SID-from-uid function, I do
1. get struct passwd* for uid
2. cygwin_internal(CW_EXTRACT_DOMAIN_AND_USER, pw, domain, name);
3. get the servername for the domain by using either
DsGetDcName or NetGetDCName
4. use NetUserGetInfo to get a PUSER_INFO_3 structure
(if domain user, and call fails, try again locally...)
5. use LookupAccountName to get the SID
(if basic call fails and returned account type is SidTypeDomain,
try again after adding domain spec to username)
However, if uid = 18 it turns out that NetUserGetInfo(....,
toUnicode("LocalSystem"),...) always fails. I even tested that
proposition in a quick test app. It just doesn't work.
Which means that my uidIsLocalSystem(uid_t uid) function is broken in
this case. It's algorithm is:
1) create SID for LocalSystem manually. call this "desiredSID"
2) get SID corresponding to supplied uid. call this "userSID"
3) compare desiredSID == userSID
And for LocalSystem, step #2 fails. So, I had to modify
make-SID-from-uid, by adding step 1a:
1a. if pw->pw_name == "LocalSystem" (after canonicalizing from "SYSTEM")
manually create SID for SECURITY_LOCAL_SYSTEM_RID and return
But when you boil it all down, that just means that I'm now comparing...
18 == 18
to see if uid is LocalSystem. I'm doing a lot more work to get there,
I'll upload a test package tomorrow, with all these changes. It'll need
lots of testing, though, in various environments: I have no domain to
test it on.
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html