* autoload.cc: Add LoadDLLfunc statements for SetTokenInformation@16.

        * cygheap.cc: Include security.h.
        * grp.cc (internal_getgrent): New function.
        (getgroups): Rearranged using `internal_getgrent' and the new
        `cygsid' class.
        * passwd.cc (internal_getpwent): New function.
        * sec_acl.cc: Use new `cygsid' class throughout.
        (acl_access): Use `internal_getgrent' instead of `getgrent'.
        * sec_helper.cc: Use new `cygsid' class throughout.
        (get_id_from_sid): Use `internal_getgrent' instead of `getgrent'.
        Use `internal_getpwent' instead of `getpwent'.
        * security.cc: Use new `cygsid' class throughout.
        * security.h: Move `MAX_SID_LEN' from winsup.h to here.
        Add extern declarations for `internal_getgrent' and `internal_getpwent'.
        (class cygsid): New class.
        * shared.cc (sec_user): Use new `cygsid' class.
        * syscalls.cc (seteuid): Try to set owner to user and primary group to
        current group in impersonation token before performing impersonation.
        (setegid): Try to set primary group in process token to the new group
        if ntsec is on.
        * uinfo.cc (internal_getlogin): Use new `cygsid' class.
        Try to set owner to user and primary group to current group in process
        token if the process has been started from a non cygwin process.
        (uinfo_init): Set primary group only if the process has been started
        from a non cygwin process.
        * winsup.h: Move define for `MAX_SID_LEN' to security.h.

1 files changed, 54 insertions, 6 deletions

diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc
index 191b3a91c..142873b27 100644
--- a/winsup/cygwin/syscalls.cc
+++ b/winsup/cygwin/syscalls.cc
@@ -1977,11 +1977,36 @@ seteuid (uid_t uid)
 		debug_printf ("Impersonate (uid == %d)", uid);
 		RevertToSelf ();
 		if (cygheap->user.token != INVALID_HANDLE_VALUE)
-		  if (!ImpersonateLoggedOnUser (cygheap->user.token))
-		    system_printf ("Impersonate (%d) in set (e)uid failed: %E",
-				   cygheap->user.token);
-		  else
-		    cygheap->user.impersonated = TRUE;
+		  {
+		    struct group *gr;
+		    cygsid sid;
+		    DWORD siz;
+
+		    /* Try setting owner to same value as user. */
+		    if (!GetTokenInformation (cygheap->user.token, TokenUser,
+					      &sid, sizeof sid, &siz))
+		      debug_printf ("GetTokenInformation(): %E");
+		    else if (!SetTokenInformation (cygheap->user.token,
+		    				   TokenOwner,
+						   &sid, sizeof sid))
+		      debug_printf ("SetTokenInformation(user.token, "
+		      		    "TokenOwner): %E");
+		    /* Try setting primary group in token to current group. */
+	            if ((gr = getgrgid (myself->gid)) &&
+		        get_gr_sid (sid, gr) &&
+		        !SetTokenInformation (cygheap->user.token,
+		      			      TokenPrimaryGroup,
+					      &sid, sizeof sid))
+		      debug_printf ("SetTokenInformation(user.token, "
+		    		    "TokenPrimaryGroup): %E");
+
+		    /* Now try to impersonate. */
+		    if (!ImpersonateLoggedOnUser (cygheap->user.token))
+		      system_printf ("Impersonate (%d) in set(e)uid failed: %E",
+				     cygheap->user.token);
+		    else
+		      cygheap->user.impersonated = TRUE;
+	          }
 	      }
 
 	  cygheap_user user;
@@ -2018,12 +2043,35 @@ setegid (gid_t gid)
     {
       if (gid != (gid_t) -1)
 	{
-	  if (!getgrgid (gid))
+	  struct group *gr;
+
+	  if (!(gr = getgrgid (gid)))
 	    {
 	      set_errno (EINVAL);
 	      return -1;
 	    }
 	  myself->gid = gid;
+	  if (allow_ntsec)
+	    {
+	      cygsid gsid;
+	      HANDLE ptok;
+
+	      if (get_gr_sid (gsid, gr))
+	        {
+		  if (!OpenProcessToken (GetCurrentProcess (),
+					 TOKEN_ADJUST_DEFAULT,
+					 &ptok))
+		    debug_printf ("OpenProcessToken(): %E\n");
+		  else
+		    {
+		      if (!SetTokenInformation (ptok, TokenPrimaryGroup,
+		      				&gsid, sizeof gsid))
+			debug_printf ("SetTokenInformation(myself, "
+				      "TokenPrimaryGroup): %E");
+		      CloseHandle (ptok);
+		    }
+	        }
+	    }
 	}
     }
   else