+2003-09-26 Pierre Humblet <pierre.humblet@ieee.org>
+
+ * uinfo.cc (cygheap_user::init): Make sure the current user appears
+ in the default DACL. Rearrange to decrease the indentation levels.
+ Initialize the effec_cygsid directly.
+ (internal_getlogin): Do not reinitialize myself->gid. Open the process
+ token with the required access.
+ * cygheap.h (class cygheap_user): Delete members pid and saved_psid.
+ Create members effec_cygsid and saved_cygsid.
+ (cygheap_user::set_sid): Define inline.
+ (cygheap_user::set_saved_sid): Ditto.
+ (cygheap_user::sid): Modify.
+ (cygheap_user::saved_sid): Modify.
+ * cygheap.cc (cygheap_user::set_sid): Delete.
+ (cygheap_user::set_saved_sid): Ditto.
+ * sec_helper.cc (sec_acl): Set the correct acl size.
+ * autoload.cc (FindFirstFreeAce): Add.
+ * security.h: Define ACL_DEFAULT_SIZE.
+
2003-09-26 Corinna Vinschen <corinna@vinschen.de>
* mmap.cc (munmap): Use correct address and length parameters when
char *homepath; /* User's home path */
char *pwinname; /* User's name as far as Windows knows it */
char *puserprof; /* User profile */
- PSID psid; /* buffer for user's SID */
- PSID saved_psid; /* Remains intact even after impersonation */
+ cygsid effec_cygsid; /* buffer for user's SID */
+ cygsid saved_cygsid; /* Remains intact even after impersonation */
public:
__uid32_t saved_uid; /* Remains intact even after impersonation */
__gid32_t saved_gid; /* Ditto */
const char *p = env_domain ("USERDOMAIN=", sizeof ("USERDOMAIN=") - 1);
return (p == almost_null) ? NULL : p;
}
- BOOL set_sid (PSID new_sid);
- BOOL set_saved_sid ();
- PSID sid () const { return psid; }
- PSID saved_sid () const { return saved_psid; }
+ BOOL set_sid (PSID new_sid) {return (BOOL) (effec_cygsid = new_sid);}
+ BOOL set_saved_sid () { return (BOOL) (saved_cygsid = effec_cygsid); }
+ PSID sid () { return effec_cygsid; }
+ PSID saved_sid () { return saved_cygsid; }
const char *ontherange (homebodies what, struct passwd * = NULL);
bool issetuid () const { return current_token != INVALID_HANDLE_VALUE; }
HANDLE token () { return current_token; }
set_name (GetUserName (user_name, &user_name_len) ? user_name : "unknown");
- if (wincap.has_security ())
+ if (!wincap.has_security ())
+ return;
+
+ HANDLE ptok;
+ DWORD siz;
+ char pdacl_buf [sizeof (PTOKEN_DEFAULT_DACL) + ACL_DEFAULT_SIZE];
+ PTOKEN_DEFAULT_DACL pdacl = (PTOKEN_DEFAULT_DACL) pdacl_buf;
+
+ if (!OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT | TOKEN_QUERY,
+ &ptok))
{
- HANDLE ptok = NULL;
- DWORD siz, ret;
- cygsid tu;
-
- /* Get the SID from current process and store it in user.psid */
- if (!OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT | TOKEN_QUERY,
- &ptok))
- system_printf ("OpenProcessToken(): %E");
- else
- {
- if (!GetTokenInformation (ptok, TokenUser, &tu, sizeof tu, &siz))
- system_printf ("GetTokenInformation (TokenUser): %E");
- else if (!(ret = set_sid (tu)))
- system_printf ("Couldn't retrieve SID from access token!");
- /* Set token owner to the same value as token user */
- else if (!SetTokenInformation (ptok, TokenOwner, &tu, sizeof tu))
- debug_printf ("SetTokenInformation(TokenOwner): %E");
- if (!GetTokenInformation (ptok, TokenPrimaryGroup,
- &groups.pgsid, sizeof tu, &siz))
- system_printf ("GetTokenInformation (TokenPrimaryGroup): %E");
- CloseHandle (ptok);
+ system_printf ("OpenProcessToken(): %E");
+ return;
+ }
+ if (!GetTokenInformation (ptok, TokenPrimaryGroup,
+ &groups.pgsid, sizeof (cygsid), &siz))
+ system_printf ("GetTokenInformation (TokenPrimaryGroup): %E");
+
+ /* Get the SID from current process and store it in effec_cygsid */
+ if (!GetTokenInformation (ptok, TokenUser, &effec_cygsid, sizeof (cygsid), &siz))
+ {
+ system_printf ("GetTokenInformation (TokenUser): %E");
+ goto out;
+ }
+
+ /* Set token owner to the same value as token user */
+ if (!SetTokenInformation (ptok, TokenOwner, &effec_cygsid, sizeof (cygsid)))
+ debug_printf ("SetTokenInformation(TokenOwner): %E");
+
+ /* Add the user in the default DACL if needed */
+ if (!GetTokenInformation (ptok, TokenDefaultDacl, pdacl, sizeof (pdacl_buf), &siz))
+ system_printf ("GetTokenInformation (TokenDefaultDacl): %E");
+ else if (pdacl->DefaultDacl) /* Running with security */
+ {
+ PACL pAcl = pdacl->DefaultDacl;
+ PACCESS_ALLOWED_ACE pAce;
+
+ for (int i = 0; i < pAcl->AceCount; i++)
+ {
+ if (!GetAce(pAcl, i, (LPVOID *) &pAce))
+ system_printf ("GetAce: %E");
+ else if (pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE
+ && effec_cygsid == &pAce->SidStart)
+ goto out;
}
+ pAcl->AclSize = &pdacl_buf[sizeof (pdacl_buf)] - (char *) pAcl;
+ if (!AddAccessAllowedAce (pAcl, ACL_REVISION, GENERIC_ALL, effec_cygsid))
+ system_printf ("AddAccessAllowedAce: %E");
+ else if (FindFirstFreeAce (pAcl, (LPVOID *) &pAce), !(pAce))
+ debug_printf ("FindFirstFreeAce %E");
+ else
+ {
+ pAcl->AclSize = (char *) pAce - (char *) pAcl;
+ if (!SetTokenInformation (ptok, TokenDefaultDacl, pdacl, sizeof (* pdacl)))
+ system_printf ("SetTokenInformation (TokenDefaultDacl): %E");
+ }
}
+ out:
+ CloseHandle (ptok);
}
void
{
struct passwd *pw = NULL;
- myself->gid = UNKNOWN_GID;
-
if (wincap.has_security ())
{
cygpsid psid = user.sid ();
{
HANDLE ptok;
if (gsid != user.groups.pgsid
- && OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT | TOKEN_QUERY,
- &ptok))
+ && OpenProcessToken (hMainProc, TOKEN_ADJUST_DEFAULT, &ptok))
{
/* Set primary group to the group in /etc/passwd. */
if (!SetTokenInformation (ptok, TokenPrimaryGroup,