From 64b3062937b791faafddc02e9d38102a75b37a7a Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Fri, 16 Jun 2000 19:36:07 +0000 Subject: * cygwin.din: Define symbols for `cygwin_logon_user' and `cygwin_set_impersonation_token'. * dcrt0.cc (dll_crt0_1): Eliminate superfluous conditional statements. Add load statements for `ImpersonateLoggedOnUser', `LogonUserA' and `RevertToSelf'. * fork.cc (fork): Care for correct impersonation of parent and child process. * security.cc (cygwin_set_impersonation_token): New function. (cygwin_logon_user): Ditto. shared.h (class pinfo): New members `orig_uid', `orig_gid', `real_uid' nad `real_gid'. spawn.cc (spawn_guts): Care for impersonation when starting child process in a different user context. * syscalls.cc (setgid): Call `setegid' now. Set real_gid. (setuid): Call `seteuid' now. Set real_uid. (seteuid): Functionality moved from setuid to here. Care for correct impersonation. (setegid): Functionality moved from setgid to here. * uinfo.cc (uinfo_init): Initialization of additional pinfo members. (getuid): Return real uid. (getgid): Return real gid. (geteuid): Return effective uid. (getegid): Return effective gid. include/sys/cygwin.h: Add prototypes for `cygwin_logon_user' and `cygwin_set_impersonation_token'. include/cygwin/version.h: Bumb API minor version to 22. --- winsup/cygwin/fork.cc | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) (limited to 'winsup/cygwin/fork.cc') diff --git a/winsup/cygwin/fork.cc b/winsup/cygwin/fork.cc index baa5a9599..b0248026b 100644 --- a/winsup/cygwin/fork.cc +++ b/winsup/cygwin/fork.cc @@ -363,10 +363,16 @@ fork () goto cleanup; } + /* Remove impersonation */ + uid_t uid = geteuid(); + if (myself->impersonated && myself->token != INVALID_HANDLE_VALUE) + seteuid (myself->orig_uid); + + char sa_buf[1024]; rc = CreateProcessA (myself->progname, /* image to run */ myself->progname, /* what we send in arg0 */ - &sec_none_nih, /* process security attrs */ - &sec_none_nih, /* thread security attrs */ + allow_ntsec ? sec_user (sa_buf) : &sec_none_nih, + allow_ntsec ? sec_user (sa_buf) : &sec_none_nih, TRUE, /* inherit handles from parent */ c_flags, NULL, /* environment filled in later */ @@ -384,9 +390,16 @@ fork () ForceCloseHandle(subproc_ready); ForceCloseHandle(forker_finished); subproc_ready = forker_finished = NULL; + /* Restore impersonation */ + if (myself->impersonated && myself->token != INVALID_HANDLE_VALUE) + seteuid (uid); return -1; } + /* Restore impersonation */ + if (myself->impersonated && myself->token != INVALID_HANDLE_VALUE) + seteuid (uid); + ProtectHandle (pi.hThread); /* Protect the handle but name it similarly to the way it will be called in subproc handling. */ @@ -410,6 +423,12 @@ fork () memcpy (child->sidbuf, myself->sidbuf, 40); memcpy (child->logsrv, myself->logsrv, 256); memcpy (child->domain, myself->domain, MAX_COMPUTERNAME_LENGTH+1); + child->token = myself->token; + child->impersonated = myself->impersonated; + child->orig_uid = myself->orig_uid; + child->orig_gid = myself->orig_gid; + child->real_uid = myself->real_uid; + child->real_gid = myself->real_gid; set_child_mmap_ptr (child); /* Wait for subproc to initialize itself. */ @@ -494,6 +513,17 @@ fork () debug_printf ("self %p, pid %d, ppid %d", myself, x, myself ? myself->ppid : -1); + /* Restore the inheritance state as in parent + Don't call setuid here! The flags are already set. */ + if (myself->impersonated) + { + debug_printf ("Impersonation of child, token: %d", myself->token); + if (myself->token == INVALID_HANDLE_VALUE) + RevertToSelf (); // probably not needed + else if (!ImpersonateLoggedOnUser (myself->token)) + system_printf ("Impersonate for forked child failed: %E"); + } + sync_with_parent ("after longjmp.", TRUE); ProtectHandle (hParent); -- cgit v1.2.3