+2009-10-13 Christian Franke <franke@computer.org>
+ Corinna Vinschen <corinna@vinschen.de>
+
+ * include/sys/cygwin.h: Add new cygwin_getinfo_type
+ CW_SET_EXTERNAL_TOKEN.
+ Add new enum CW_TOKEN_IMPERSONATION, CW_TOKEN_RESTRICTED.
+ * cygheap.h (cyguser): New flags ext_token_is_restricted,
+ curr_token_is_restricted and setuid_to_restricted.
+ * external.cc (cygwin_internal): Add CW_SET_EXTERNAL_TOKEN.
+ * sec_auth.cc (set_imp_token): New function.
+ (cygwin_set_impersonation_token): Call set_imp_token ().
+ * security.h (set_imp_token): New prototype.
+ * spawn.cc (spawn_guts): Use CreateProcessAsUserW if restricted token
+ was enabled by setuid(). Do not create new window station in this case.
+ * syscalls.cc (seteuid32): Add handling of restricted external tokens.
+ Set HANDLE_FLAG_INHERIT for primary token.
+ (setuid32): Set setuid_to_restricted flag.
+ * uinfo.cc (uinfo_init): Do not reimpersonate if restricted token was
+ enabled by setuid (). Initialize user.*_restricted flags.
+
2009-10-13 Eric Blake <ebb9@byu.net>
* hires.h (hires_ms): Change initime_us to initime_ns, with 10x
debug_printf ("uid: %u myself->uid: %u myself->gid: %u",
uid, myself->uid, myself->gid);
- if (uid == myself->uid && !cygheap->user.groups.ischanged)
+ /* Same uid as we're just running under is usually a no-op.
+
+ Except we have an external token which is a restricted token. Or,
+ the external token is NULL, but the current impersonation token is
+ a restricted token. This allows to restrict user rights temporarily
+ like this:
+
+ cygwin_internal(CW_SET_EXTERNAL_TOKEN, restricted_token,
+ CW_TOKEN_RESTRICTED);
+ setuid (getuid ());
+ [...do stuff with restricted rights...]
+ cygwin_internal(CW_SET_EXTERNAL_TOKEN, INVALID_HANDLE_VALUE,
+ CW_TOKEN_RESTRICTED);
+ setuid (getuid ());
+
+ Note that using the current uid is a requirement! Starting with Windows
+ Vista, we have restricted tokens galore (UAC), so this is really just
+ a special case to restict your own processes to lesser rights. */
+ bool request_restricted_uid_switch = (uid == myself->uid
+ && cygheap->user.ext_token_is_restricted);
+ if (uid == myself->uid && !cygheap->user.groups.ischanged
+ && !request_restricted_uid_switch)
{
debug_printf ("Nothing happens");
return 0;
cygheap->user.deimpersonate ();
/* Verify if the process token is suitable. */
+ /* First of all, skip all checks if a switch to a restricted token has been
+ requested, or if trying to switch back from it. */
+ if (request_restricted_uid_switch)
+ {
+ if (cygheap->user.external_token != NO_IMPERSONATION)
+ {
+ debug_printf ("Switch to restricted token");
+ new_token = cygheap->user.external_token;
+ }
+ else
+ {
+ debug_printf ("Switch back from restricted token");
+ new_token = hProcToken;
+ cygheap->user.ext_token_is_restricted = false;
+ }
+ }
/* TODO, CV 2008-11-25: The check against saved_sid is a kludge and a
shortcut. We must check if it's really feasible in the long run.
The reason to add this shortcut is this: sshd switches back to the
Therefore we try this shortcut now. When switching back to the
privileged user, we probably always want a correct (aka original)
user token for this privileged user, not only in sshd. */
- if ((uid == cygheap->user.saved_uid && usersid == cygheap->user.saved_sid ())
- || verify_token (hProcToken, usersid, groups))
+ else if ((uid == cygheap->user.saved_uid
+ && usersid == cygheap->user.saved_sid ())
+ || verify_token (hProcToken, usersid, groups))
new_token = hProcToken;
/* Verify if the external token is suitable */
else if (cygheap->user.external_token != NO_IMPERSONATION
if (new_token != hProcToken)
{
- /* Avoid having HKCU use default user */
- WCHAR name[128];
- load_registry_hive (usersid.string (name));
+ if (!request_restricted_uid_switch)
+ {
+ /* Avoid having HKCU use default user */
+ WCHAR name[128];
+ load_registry_hive (usersid.string (name));
+ }
/* Try setting owner to same value as user. */
if (!SetTokenInformation (new_token, TokenOwner,
cygheap->user.set_sid (usersid);
cygheap->user.curr_primary_token = new_token == hProcToken ? NO_IMPERSONATION
: new_token;
+ cygheap->user.curr_token_is_restricted = false;
+ cygheap->user.setuid_to_restricted = false;
if (cygheap->user.curr_imp_token != NO_IMPERSONATION)
{
CloseHandle (cygheap->user.curr_imp_token);
}
if (cygheap->user.curr_primary_token != NO_IMPERSONATION)
{
- if (!DuplicateTokenEx (cygheap->user.curr_primary_token, MAXIMUM_ALLOWED,
- &sec_none, SecurityImpersonation,
- TokenImpersonation, &cygheap->user.curr_imp_token))
+ /* HANDLE_FLAG_INHERIT may be missing in external token. */
+ if (!SetHandleInformation (cygheap->user.curr_primary_token,
+ HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT)
+ || !DuplicateTokenEx (cygheap->user.curr_primary_token,
+ MAXIMUM_ALLOWED, &sec_none,
+ SecurityImpersonation, TokenImpersonation,
+ &cygheap->user.curr_imp_token))
{
__seterrno ();
cygheap->user.curr_primary_token = NO_IMPERSONATION;
return -1;
}
+ cygheap->user.curr_token_is_restricted = request_restricted_uid_switch;
set_cygwin_privileges (cygheap->user.curr_primary_token);
set_cygwin_privileges (cygheap->user.curr_imp_token);
}
{
int ret = seteuid32 (uid);
if (!ret)
- cygheap->user.real_uid = myself->uid;
+ {
+ cygheap->user.real_uid = myself->uid;
+ /* If restricted token, forget original privileges on exec (). */
+ cygheap->user.setuid_to_restricted = cygheap->user.curr_token_is_restricted;
+ }
debug_printf ("real: %d, effective: %d", cygheap->user.real_uid, myself->uid);
return ret;
}
OSDN Git Service
