[Patch] Allow to disable root privileges with CYGWIN=noroot

Christian Franke Christian.Franke@t-online.de
Fri Oct 9 21:42:00 GMT 2009


Corinna Vinschen wrote:
> ...and maybe it's time to create a cygwin_internal call which replaces
> cygwin_set_impersonation_token and deprecate cygwin_set_impersonation_token
> in the long run.  So, instead of the above we could have this call
> taking a HANDLE and a BOOL value:
>
>   cygwin_internal (CW_SET_EXTERNAL_TOKEN, token_handle, restricted?);
>
>
>   

Attached a patch (based on your patch) which works for me on XP SP3.

Note that unlike with setuid(other_uid), fork() and exec() do not fail 
for non-system processes.


A simple Testcase: Exec with most privileges removed:

int main(int argc, char **argv)
{
  if (argc < 2) {
    printf("Usage: %s command args ...\n", argv[0]); return 1;
  }

  HANDLE pt, rt;
  if (!OpenProcessToken(GetCurrentProcess (), TOKEN_ALL_ACCESS, &pt)) {
    printf("OpenProcessToken failed\n"); return 1;
  }
  if (!CreateRestrictedToken(pt, DISABLE_MAX_PRIVILEGE,
      0, (PSID_AND_ATTRIBUTES)0, 0, (PLUID_AND_ATTRIBUTES)0,
      0, (PSID_AND_ATTRIBUTES)0, &rt)) {
    printf("CreateRestrictedToken failed\n"); return 1;
  }
  if (!SetHandleInformation(rt, HANDLE_FLAG_INHERIT,
      HANDLE_FLAG_INHERIT)) {
    printf("SetHandleInformation failed\n"); return 1;
  }

  cygwin_internal(CW_SET_EXTERNAL_TOKEN, rt, CW_TOKEN_RESTRICTED);

  // seteuid(getuid()) would allow child to revert to original privileges.
  setuid(getuid());

  execvp(argv[1], argv+1);
  perror("exec");
  return 1;
}

Running e.g. 'ls /proc/registry/HKEY_LOCAL_MACHINE/SECURITY' from an 
admin with and without the above program shows the difference.
(The process is not really restricted because the admin group is not 
removed :-)


I would suggest to add another cygwin_internal() call to check if 
current process is considered 'equivalent root'. This could be used e.g. 
by shells to set the root prompt properly.
http://sourceware.org/ml/cygwin/2009-09/msg00138.html

Christian

2009-10-09  Christian Franke  <franke@computer.org>
            Corinna Vinschen  <corinna@vinschen.de>

	* include/sys/cygwin.h: Add new cygwin_getinfo_type
	CW_SET_EXTERNAL_TOKEN.
	Add new enum CW_TOKEN_IMPERSONATION, CW_TOKEN_RESTRICTED.
	* cygheap.h (cyguser): New flags ext_token_is_restricted,
	curr_token_is_restricted and setuid_to_restricted.
	* external.cc (cygwin_internal): Add CW_SET_EXTERNAL_TOKEN.
	* fork.cc (frok::child): Abort if reimpersonate fails.
	* sec_auth.cc (cygwin_set_impersonation_token): Set
	ext_token_is_restricted flag.
	* spawn.cc (spawn_guts): Use CreateProcessAsUserW if
	restricted token was enabled by setuid ().
	Do not create new window station in this case.
	* syscalls.cc (seteuid32): Add handling of restricted
	external tokens.
	(setuid32): Set setuid_to_restricted flag.
	* uinfo.cc (uinfo_init): Do not reimpersonate if
	restricted token was enabled by setuid ().
	Abort if reimpersonate fails.
	Initialize user.*_restricted flags.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: cygwin-1.7-restricted-token.patch
Type: text/x-diff
Size: 9688 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-patches/attachments/20091009/1d58df05/attachment.bin>


More information about the Cygwin-patches mailing list