From f4a1f8a1dbc28b1f0330ebb19ed3eef2ea0618b2 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Sun, 3 Apr 2005 13:06:43 +0000 Subject: * cygheap.cc (cygheap_init): Accomodate set_process_privilege change. * cygheap.h (cygheap_user::curr_primary_token): New member. (cygheap_user::primary_token): New method. (cygheap_user::deimpersonate): Always revert to processes' impersonation token. (cygheap_user::reimpersonate): Set processes' or setuid token as necessary. (cygheap_user::has_impersonation_tokens): Look for curr_primary_token value. (cygheap_user::close_impersonation_tokens): Close curr_primary_token here if necessary. Don't reset token values to NO_IMPERSONATION since that's done in uinfo_init anyway. (init_cygheap::luid): New LUID array keeping privilege LUIDs. * cygtls.cc (_cygtls::init_thread): Call cygheap->user.reimpersonate. * dcrt0.cc (hProcToken): New global variable to keep process token. (hProcImpToken): Ditto for process impersonation token. (dll_crt0_0): Open process token here once. Duplicate to create hProcImpToken. (dll_crt0_1): Call set_cygwin_privileges. * environ.cc (allow_ntea): Drop duplicate declaration. (allow_smbntsec): Ditto. (set_traverse): Only set allow_traverse here. (environ_init): Ditto. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Drop call to enable_restore_privilege. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::facl): Ditto. * fork.cc (fork_child): Move call to cygheap->user.reimpersonate after syn with parent. Call set_cygwin_privileges. * grp.cc (internal_getgroups): Use hProcImpToken instead of opening process token. * path.cc (fs_info::update): Bypass traverse checking when retrieving volume information using push/pop_thread_privileges. * registry.cc (load_registry_hive): Drop setting restore privilege since it's already set if available. * sec_helper.cc: Include cygtls.h. (cygpriv): Privilege string array. (privilege_luid): New function, evaluate LUID from cygpriv_idx. (privilege_luid_by_name): New function, evaluate LUID from privilege string. (privilege_name): New function, evaluate privilege string from cygpriv_idx. (set_privilege): New static function called by set_process_privilege and set_thread_privilege. Call privilege_luid to get privilege LUID. Fix bug in return value evaluation. Improve debug output. (set_cygwin_privileges): New function. (set_process_privilege): Remove. (enable_restore_privilege): Remove. * security.cc (allow_traverse): New global variable. (sys_privs): Change type to cygpriv_idx and store privilege indices instead of strings. (SYSTEM_PRIVILEGES_COUNT): Renamed from SYSTEM_PERMISSION_COUNT. (get_system_priv_list): Don't use numerical constant in malloc call. Use privilege_luid to get privilege LUIDs. (get_priv_list): Call privilege_luid_by_name to get LUIDs. Improve inner privilege LUID comparison loop. (create_token): Enable create token privilege using push/pop_self_privileges. Use hProcToken instead of opening process token. Use default DACL when duplicating token. (subauth): Enable tcb privilege using push/pop_self_privileges. Use sec_none instead of homw made security attributes when duplicating token. (check_file_access): Don't duplicate access token, use active impersonation token as is. * security.h (enum cygpriv_idx): New enumeration type enumerating possible privileges. (privilege_luid): Declare new function. (privilege_luid_by_name): Ditto. (privilege_name): Ditto. (allow_traverse): Declare. (set_privilege): Declare function. (set_process_privilege): Define as macro. (enable_restore_privilege): Remove declaration. (_push_thread_privilege): Define macro. (push_thread_privilege): Ditto. (pop_thread_privilege): Ditto. (pop_self_privilege): Ditto. * spawn.cc (spawn_guts): Use cygheap->user.primary_token instead of cygheap->user.token. * syscalls.cc (statvfs): Bypass traverse checking when retrieving volume information using push/pop_thread_privileges. Rearrange code to simplify push/pop bracketing. (seteuid32): Use hProcToken instead of opening process token. Call cygheap->user.deimpersonate instead of RevertToSelf. Create impersonation token from primary internal or external token. Set cygheap->user.curr_primary_token and cygheap->user.current_token privileges once here. Drop "failed" and "failed_ptok" labels. Drop setting DefaultDacl of process token. (setegid32): Use hProcToken and hProcImpToken instead of opening process token. Always reimpersonate afterwards. * uinfo.cc (cygheap_user::init): Use hProcToken instead of opening process token. (internal_getlogin): Ditto. Set hProcImpToken, too. (uinfo_init): Initialize cygheap->user.curr_primary_token. * winsup.h (hProcToken): Declare. (hProcImpToken): Declare. --- winsup/cygwin/security.h | 74 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 72 insertions(+), 2 deletions(-) (limited to 'winsup/cygwin/security.h') diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h index a0035a966..0ee8e7134 100644 --- a/winsup/cygwin/security.h +++ b/winsup/cygwin/security.h @@ -236,6 +236,46 @@ extern cygpsid well_known_authenticated_users_sid; extern cygpsid well_known_system_sid; extern cygpsid well_known_admins_sid; +/* Order must be same as cygpriv in sec_helper.cc. */ +enum cygpriv_idx { + SE_CREATE_TOKEN_PRIV = 0, + SE_ASSIGNPRIMARYTOKEN_PRIV, + SE_LOCK_MEMORY_PRIV, + SE_INCREASE_QUOTA_PRIV, + SE_UNSOLICITED_INPUT_PRIV, + SE_MACHINE_ACCOUNT_PRIV, + SE_TCB_PRIV, + SE_SECURITY_PRIV, + SE_TAKE_OWNERSHIP_PRIV, + SE_LOAD_DRIVER_PRIV, + SE_SYSTEM_PROFILE_PRIV, + SE_SYSTEMTIME_PRIV, + SE_PROF_SINGLE_PROCESS_PRIV, + SE_INC_BASE_PRIORITY_PRIV, + SE_CREATE_PAGEFILE_PRIV, + SE_CREATE_PERMANENT_PRIV, + SE_BACKUP_PRIV, + SE_RESTORE_PRIV, + SE_SHUTDOWN_PRIV, + SE_DEBUG_PRIV, + SE_AUDIT_PRIV, + SE_SYSTEM_ENVIRONMENT_PRIV, + SE_CHANGE_NOTIFY_PRIV, + SE_REMOTE_SHUTDOWN_PRIV, + SE_CREATE_GLOBAL_PRIV, + SE_UNDOCK_PRIV, + SE_MANAGE_VOLUME_PRIV, + SE_IMPERSONATE_PRIV, + SE_ENABLE_DELEGATION_PRIV, + SE_SYNC_AGENT_PRIV, + + SE_NUM_PRIVS +}; + +const LUID *privilege_luid (enum cygpriv_idx idx); +const LUID *privilege_luid_by_name (const char *pname); +const char *privilege_name (enum cygpriv_idx idx); + inline BOOL legal_sid_type (SID_NAME_USE type) { @@ -246,6 +286,7 @@ legal_sid_type (SID_NAME_USE type) extern bool allow_ntea; extern bool allow_ntsec; extern bool allow_smbntsec; +extern bool allow_traverse; /* File manipulation */ int __stdcall get_file_attribute (int, HANDLE, const char *, mode_t *, @@ -291,8 +332,37 @@ void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user); bool get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL); /* sec_helper.cc: Security helper functions. */ -int set_process_privilege (const char *privilege, bool enable = true, bool use_thread = false); -void enable_restore_privilege (void); +int set_privilege (HANDLE token, enum cygpriv_idx privilege, bool enable); +void set_cygwin_privileges (HANDLE token); + +#define set_process_privilege(p,v) set_privilege (hProcImpToken, (p), (v)) + +#define _push_thread_privilege(_priv, _val, _check) { \ + HANDLE _token = NULL, _dup_token = NULL; \ + if (wincap.has_security ()) \ + { \ + _token = (cygheap->user.issetuid () && (_check)) \ + ? cygheap->user.token () : hProcImpToken; \ + if (!DuplicateTokenEx (_token, MAXIMUM_ALLOWED, NULL, \ + SecurityImpersonation, TokenImpersonation, \ + &_dup_token)) \ + debug_printf ("DuplicateTokenEx: %E"); \ + else if (!ImpersonateLoggedOnUser (_dup_token)) \ + debug_printf ("ImpersonateLoggedOnUser: %E"); \ + else \ + set_privilege (_dup_token, (_priv), (_val)); \ + } +#define push_thread_privilege(_priv, _val) _push_thread_privilege(_priv,_val,1) +#define push_self_privilege(_priv, _val) _push_thread_privilege(_priv,_val,0) + +#define pop_thread_privilege() \ + if (_dup_token) \ + { \ + ImpersonateLoggedOnUser (_token); \ + CloseHandle (_dup_token); \ + } \ + } +#define pop_self_privilege() pop_thread_privilege() /* shared.cc: */ /* Retrieve a security descriptor that allows all access */ -- cgit v1.2.3