diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2006-11-27 12:59:59 +0000 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2006-11-27 12:59:59 +0000 |
| commit | b825c587ba9e851002570b81f9f35196b7a96100 (patch) | |
| tree | 4f45a13329a6ac1cf399647ba96988538ccba0bf /winsup/cygwin/syscalls.cc | |
| parent | b6bb405954f9713a2153e08dfc781f9146a42b9d (diff) | |
| download | cygnal-b825c587ba9e851002570b81f9f35196b7a96100.tar.gz cygnal-b825c587ba9e851002570b81f9f35196b7a96100.tar.bz2 cygnal-b825c587ba9e851002570b81f9f35196b7a96100.zip | |
* cyglsa.h: New header file.
* environ.cc: Disable subauth settings.
* grp.cc: Accomodate cygsidlist's count now being a method.
* sec_helper.cc (SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Remove.
(mandatory_medium_integrity_sid): Remove.
(mandatory_high_integrity_sid): Remove.
(mandatory_system_integrity_sid): Remove.
(fake_logon_sid): Add.
(cygsid::get_sid): Add well_known parameter. Set well_known_sid
accordingly.
(cygsid::getfromstr): Ditto.
(cygsidlist::alloc_sids): Move here from security.cc.
(cygsidlist::free_sids): Ditto.
(cygsidlist::add): Move here from security.h. Add well_known parameter.
Set well_known_sid accordingly. Don't allow duplicate SIDs.
* security.cc: Include cyglsa.h and cygwin/version.h. Throughout
accomodate cygsidlist's count now being a method. Throughout drop
redundant "contains" tests.
(get_user_local_groups): Add local groups as well known SIDs.
(get_token_group_sidlist): Add well known groups as well known SIDs.
(get_server_groups): Ditto. Only call get_unix_group_sidlist after
get_user_local_groups to maintain "well_known_sid" attribute.
(get_initgroups_sidlist): Add well known groups as well known SIDs.
(get_setgroups_sidlist): Add usersid and struct passwd parameter to
allow calling get_server_groups from here.
(get_system_priv_list): Make static. Return size of TOKEN_PRIVILEGES
structure.
(get_priv_list): Ditto.
(create_token): Accomodate above changes. Drop misguided attempt to
add MIC SIDs to created user token. Print returned token as hex value.
(subauth): Disable.
(lsaauth): New function implementing client side of LSA authentication.
* security.h (class cygsid): Add well_known_sid attribute. Accomodate
throughout. Add *= operator to create a well known SID.
(class cygsidlist): Rename count to cnt. Make count a method.
(cygsidlist::add): Move to sec_helper.cc.
(cygsidlist::operator *=): New method to add well known SID.
(cygsidlist::non_well_known_count): New method returning number of
non well known SIDs in list.
(cygsidlist::next_non_well_known_sid): New method returning next non
well known SID by index.
(mandatory_medium_integrity_sid): Drop declaration.
(mandatory_high_integrity_sid): Drop declaration.
(mandatory_system_integrity_sid): Drop declaration.
(fake_logon_sid): Add declaration.
(subauth): Disable declaration.
(lsaauth): Add declaration.
* syscalls.cc (seteuid32): Disable subauthentication. Add LSA
authentication.
* wincap.h: Define needs_logon_sid_in_sid_list throughout.
* wincap.cc: Ditto.
Diffstat (limited to 'winsup/cygwin/syscalls.cc')
| -rw-r--r-- | winsup/cygwin/syscalls.cc | 46 |
1 files changed, 31 insertions, 15 deletions
diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc index 241efd490..91c696073 100644 --- a/winsup/cygwin/syscalls.cc +++ b/winsup/cygwin/syscalls.cc @@ -2111,30 +2111,46 @@ seteuid32 (__uid32_t uid) debug_printf ("Found token %d", new_token); /* If no impersonation token is available, try to - authenticate using NtCreateToken () or subauthentication. */ + authenticate using NtCreateToken () or LSA authentication. */ if (new_token == INVALID_HANDLE_VALUE) { - new_token = subauth (pw_new); - debug_printf ("subauth %s, try create_token.", - new_token == INVALID_HANDLE_VALUE ? "failed" : "succeeded"); - HANDLE new_token2 = create_token (usersid, groups, pw_new, new_token); - if (new_token2 == INVALID_HANDLE_VALUE) - { + if (!(new_token = lsaauth (usersid, groups, pw_new))) + { +#if 0 + new_token = subauth (pw_new); + debug_printf ("subauth %s, try create_token.", + new_token == INVALID_HANDLE_VALUE ? "failed" : "succeeded"); + HANDLE new_token2 = create_token (usersid, groups, pw_new, new_token); + if (new_token2 == INVALID_HANDLE_VALUE) + { + if (new_token == INVALID_HANDLE_VALUE) + { + debug_printf ("create_token failed, bail out of here"); + cygheap->user.reimpersonate (); + return -1; + } + debug_printf ("create_token failed, use original subauth token"); + } + else + { + debug_printf ("create_token succeeded"); + if (new_token != INVALID_HANDLE_VALUE) + CloseHandle (new_token); + new_token = new_token2; + } +#else + debug_printf ("lsaauth failed, try create_token."); + new_token = create_token (usersid, groups, pw_new, + INVALID_HANDLE_VALUE); if (new_token == INVALID_HANDLE_VALUE) { debug_printf ("create_token failed, bail out of here"); cygheap->user.reimpersonate (); return -1; } - debug_printf ("create_token failed, use original subauth token"); - } - else - { - debug_printf ("create_token succeeded"); - if (new_token != INVALID_HANDLE_VALUE) - CloseHandle (new_token); - new_token = new_token2; +#endif } + /* Keep at most one internal token */ if (cygheap->user.internal_token != NO_IMPERSONATION) CloseHandle (cygheap->user.internal_token); |