This is the mail archive of the cygwin mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Corinna,As result of the removal of create_token() (sec_auth.cc) in the call flow
of seteuid32(), something like: @@ cat seteuid.c int main() { errno = 0; if (seteuid( (uid_t)1004) != 0) { // 1004 = uid of different userprintf("seteuid: errno = %d, errstr = %s\n", errno, strerror(errno) );
} else printf("1004, OK\n"); }returns an INCORRECT errno (http://man7.org/linux/man-pages/man2/seteuid.2.html)
64-@@ ./seteuid seteuid: errno = 13, errstr = Permission denied ... huh? WRONG! On Linux this simple "Simple Test Case" will result in: @@ seteuid: errno = 1, errstr = Operation not permitted ----- Before the introduction of "Service for User Logon" (s4u), calling seteuid (or companions) would eventually result in - calling create_token, which in turn would call - NtCreateToken If NtCreateToken() failed, it returned the following status: - STATUS_PRIVILEGE_NOT_HELD ((NTSTATUS)0xC0000061), which would map to: - ERROR_PRIVILEGE_NOT_HELD __MSABI_LONG(1314), which in turn would map to: - errno = EPERM (1, i.c. "Operation not permitted") See errmap[], geterrno_from_nt_status() and geterrno_from_win_error() in winsup/cygwin/errno.cc ----- Om my system I have fixed this regression as follows: 64-@@ uname -a CYGWIN_NT-6.1 Seven 3.0.4(0.338/5/3) 2019-03-26 08:25 x86_64 Cygwin I applied the following hack to winsup/cygwin/sec_auth.cc: 1496 HANDLE1497 s4uauth (bool logon, PCWSTR domain, PCWSTR user, NTSTATUS &ret_status)
1498 { ... 1525 if (logon) // true in the call flow from seteuid32() 1526 { 1527 /* Register as logon process. */ 1528 debug_printf ("Impersonation requested"); 1529 RtlInitAnsiString (&name, "Cygwin");1530 status = LsaRegisterLogonProcess (&name, &lsa_hdl, &sec_mode);
1531 } 1532 else 1533 { 1534 /* Connect untrusted to just create a identification token */ 1535 debug_printf ("Identification requested"); 1536 status = LsaConnectUntrusted (&lsa_hdl); 1537 } 1538 if (status != STATUS_SUCCESS) 1539 { 1540 debug_printf ("%s: %y", logon ? "LsaRegisterLogonProcess"1541 : "LsaConnectUntrusted", status);
// Henri: HACK!// LsaRegisterLogonProcess returns STATUS_PORT_CONNECTION_REFUSED if (status == STATUS_PORT_CONNECTION_REFUSED) // ((NTSTATUS)0xC0000041) // => EACCES ... WRONG!
{ // status that was previously returned by NtCreateTokenstatus = STATUS_PRIVILEGE_NOT_HELD; // ((NTSTATUS)0xC0000061) => EPERM
}// STATUS_PRIVILEGE_NOT_HELD maps to ERROR_PRIVILEGE_NOT_HELD (1314),
// which in turn maps to EPERM (1) // Henri 1542 __seterrno_from_nt_status (status); 1543 goto out; 1544 } Henri Attached: errmapping-sorted.txt
Attachment:
errmapping-sorted.txt
Description: Text document
-- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |