[newlib-cygwin/topic/posix_acl_funcs] cygwin_logon_user: Return non-privileged token as well

Corinna Vinschen corinna@sourceware.org
Sun Jan 24 10:30:00 GMT 2016


https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=b5c80f5a59fda4e3890bf3cb515a67f420057e02

commit b5c80f5a59fda4e3890bf3cb515a67f420057e02
Author: Corinna Vinschen <corinna@vinschen.de>
Date:   Thu Jan 21 18:32:16 2016 +0100

    cygwin_logon_user: Return non-privileged token as well
    
    	If the calling process doesn't have sufficient privileges to
    	fetch the linked token of an admin-user token, cygwin_logon_user
    	fails.  This patch changes that by returning the original,
    	unprivileged token of the admin user to allow authentication
    	and calling setuid for the current process.
    
    Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

Diff:
---
 winsup/cygwin/sec_auth.cc | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index aef1319..d44cb2d 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -172,13 +172,17 @@ cygwin_logon_user (const struct passwd *pw, const char *password)
     }
   else
     {
+      HANDLE hPrivToken = NULL;
+
       /* See the comment in get_full_privileged_inheritable_token for a
       description why we enable TCB privileges here. */
       push_self_privilege (SE_TCB_PRIVILEGE, true);
-      hToken = get_full_privileged_inheritable_token (hToken);
+      hPrivToken = get_full_privileged_inheritable_token (hToken);
       pop_self_privilege ();
-      if (!hToken)
-	hToken = INVALID_HANDLE_VALUE;
+      if (!hPrivToken)
+	debug_printf ("Can't fetch linked token (%E), use standard token");
+      else
+	hToken = hPrivToken;
     }
   RtlSecureZeroMemory (passwd, NT_MAX_PATH);
   cygheap->user.reimpersonate ();



More information about the Cygwin-cvs mailing list