This is the mail archive of the cygwin-patches@cygwin.com mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Hello Corinna, This is the third installment. It fixes: 1) non-cygwin child processes always get the correct primary group 2) tighter check of whether an existing token should be reused 3) impersonated tasks now have access to their own token This brings us to the level of the patches I had sent in March. There is another set of changes I'd like to make to address two issues: 1) Currently sequences such as setgid(newgid); setuid(originaluid); or setgid(newgid); setuid(newuid); setuid(originaluid) never create a token (newgid, originaluid) and thus the task isn't really in the newgid group (if newgid isn't a group that originaluid naturally belongs to). 2) Currently part of the seteuid() is executed on NT/2000/XP even when ntsec is off. This partially works, but only for external tokens, and only when the passwd file contains the SIDs. Even then, the security descriptor may not give access to admins. I don't know the history and motivation of this design, but it doesn't seem that clean. I would propose instead one of the 3 following options: 1) when ntsec is off, setuid() succeeds while doing almost nothing. The danger is that a privileged process will never give up its privileges. 2) setuid() and setgid() return in error on NT if ntsec isn't set. 3) no matter ntsec, setuid() / setgid() behave basically as they do today when ntsec is set. They fail if the passwd file doesn't contain SIDs. I would vote for 3, not seeing the advantage of 2. What's your opinion? Pierre 2002-05-13 Pierre Humblet <pierre.humblet@ieee.org> * syscalls.cc (seteuid): Set default dacl in process token. Replace in-line code by call to verify_token(). * security.cc (create_token): Store pgrpsid in token security descriptor, except if it already appears in my_grps. Use sec_acl() in place of get_dacl(). (verify_token): Create from code in seteuid(), with tighter checks. (get_dacl) Deleted. (get_group_sidlist): Add argument to indicate if pgrpsid is already in the groups. * security.h: Define verify_token(). * autoload.cc: Load GetKernelObjectSecurity(). P.S.: it's late and I don't think straight. seteuid() ends with else set_errno (ENOSYS); debug_printf ("real: %d, effective: %d", cygheap->user.real_uid, myself->uid); return 0; Why is ENOSYS set (on Win95) when 0 is returned?
Attachment:
autoload.cc.diff
Description: Text document
Attachment:
security.cc.diff
Description: Text document
Attachment:
security.h.diff
Description: Text document
Attachment:
syscalls.cc.diff
Description: Text document
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |