This is the mail archive of the cygwin-patches@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Security patches


Hello Corinna,

This is the third installment. It fixes:
1) non-cygwin child processes always get the correct primary group
2) tighter check of whether an existing token should be reused
3) impersonated tasks now have access to their own token

This brings us to the level of the patches I had sent in March.

There is another set of changes I'd like to make to address 
two issues:
1) Currently sequences such as setgid(newgid); setuid(originaluid);
or setgid(newgid); setuid(newuid); setuid(originaluid)
never create a token (newgid, originaluid) and thus the task 
isn't really in the newgid group (if newgid isn't a group that
originaluid naturally belongs to). 
2) Currently part of the seteuid() is executed on NT/2000/XP 
even when ntsec is off. This partially works, but only
for external tokens, and only when the passwd file contains 
the SIDs. Even then, the security descriptor may not give 
access to admins.

I don't know the history and motivation of this design, but
it doesn't seem that clean. I would propose instead one of 
the 3 following options:
1) when ntsec is off, setuid() succeeds while doing almost nothing.
The danger is that a privileged process will never give up
its privileges.
2) setuid() and setgid() return in error on NT if ntsec isn't set.
3) no matter ntsec, setuid() / setgid() behave basically as they do 
today when ntsec is set. They fail if the passwd file doesn't contain SIDs. 
I would vote for 3, not seeing the advantage of 2.
What's your opinion?

Pierre

2002-05-13  Pierre Humblet <pierre.humblet@ieee.org>

	* syscalls.cc (seteuid): Set default dacl in process token.
	Replace in-line code by call to verify_token().
	* security.cc (create_token): Store pgrpsid in token security
	descriptor, except if it already appears in my_grps. 
	Use sec_acl() in place of get_dacl().
	(verify_token): Create from code in seteuid(), with tighter checks.
	(get_dacl) Deleted.
	(get_group_sidlist): Add argument to indicate if pgrpsid is already
	in the groups.
	* security.h: Define verify_token().
	* autoload.cc: Load GetKernelObjectSecurity().


P.S.: it's late and I don't think straight.
seteuid() ends with
  else set_errno (ENOSYS);
  debug_printf ("real: %d, effective: %d", cygheap->user.real_uid,
myself->uid);
  return 0;
Why is ENOSYS set (on Win95) when 0 is returned?

Attachment: autoload.cc.diff
Description: Text document

Attachment: security.cc.diff
Description: Text document

Attachment: security.h.diff
Description: Text document

Attachment: syscalls.cc.diff
Description: Text document


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]