From 99fd83eb67bdb059aeb9ac986ade5b76fe81f308 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Thu, 20 Jul 2000 11:04:33 +0000 Subject: * ntsec.sgml: Add description for the new setuid ability of Cygwin since release 1.1.3. * overview2.sgml: Add description for new chroot functionality. * calls.texinfo: Add missing calls. Change comments for setuid, setgid, seteuid, setegid, chroot. --- winsup/doc/ntsec.sgml | 145 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 143 insertions(+), 2 deletions(-) (limited to 'winsup/doc/ntsec.sgml') diff --git a/winsup/doc/ntsec.sgml b/winsup/doc/ntsec.sgml index e97cc15dc..7d2eb5b76 100644 --- a/winsup/doc/ntsec.sgml +++ b/winsup/doc/ntsec.sgml @@ -11,12 +11,13 @@ file permissions. Chapter four talks about the advanced settings introduced in release 1.1 Chapter five illustrates the permission mapping leak of Windows NT. +Chapter six describes the new support of a setuid concept introduced +with release 1.1.3. Chapter six describes in short the new acl API since release 1.1 The setting of UNIX like object permissions is controlled by the new -CYGWIN variable setting (no)ntsec. -On NT ntsec is now turned on by default. +CYGWIN variable setting (no)ntsec. NT security @@ -516,4 +517,144 @@ can be found on eg. http://docs.sun.com +New setuid concept + +UNIX applications which have to switch the user context are using +the setuid and seteuid calls which +are not part of the Windows API. +Nevertheless these calls are supported under Windows NT/W2K since Cygwin +release 1.1.3. Because of the nature of NT security an application which +needs the ability has to be patched, though. + +NT uses so called `access tokens' to identify a user and it's +permissions. To switch the user context the application has to request +such an `access token'. This is typically done by calling the NT API +function LogonUser. The access token is returned and +either used in ImpersonateLoggedOnUser to change user +context of the current process or in CreateProcessAsUser +to change user context of a spawned child process. An important restriction +is that the application using LogonUser must have special +permissions: + + +"Act as part of the operating system" +"Replace process level token" +"Increase quotas" + + +Note that administrators do not have all that user rights set by default. + +Two new Cygwin calls are introduced to support porting +setuid applications with a minimum of effort. You only +have to care to give Cygwin the right access token and then you can call +seteuid or setuid as usual in POSIX +applications. The call to sexec is not needed +anymore. Porting a setuid application is illustrated by +a short example: + + + +/* First include all needed cygwin stuff. */ +#ifdef __CYGWIN__ +#include <windows.h> +#include <sys/cygwin.h> +/* Use the following define to determine the Windows version */ +#define is_winnt (GetVersion() < 0x80000000) +#endif + +[...] + + struct passwd *user_pwd_entry = getpwnam (username); + char *cleartext_password = getpass ("Password:"); + +[...] + +#ifdef __CYGWIN__ + /* Patch the typical password test. */ + if (is_winnt) + { + HANDLE token; + + /* Try to get the access token from NT. */ + token = cygwin_logon_user (user_pwd_entry, cleartext_password); + if (token == INVALID_HANDLE_VALUE) + error_exit; + /* Inform Cygwin about the new impersonation token. + Cygwin is able now, to switch to that user context by + setuid or seteuid calls. */ + cygwin_set_impersonation_token (token); + } + else +#endif /* CYGWIN */ + /* Use standard method for W9X as well. */ + hashed_password = crypt (cleartext_password, salt); + if (!user_pwd_entry || + strcmp (hashed_password, user_pwd_entry->pw_password)) + error_exit; + +[...] + + /* Everything else remains the same! */ + + setegid (user_pwd_entry->pw_gid); + seteuid (user_pwd_entry->pw_uid); + execl ("/bin/sh", ...); + + + +The new Cygwin call to retrive an access token is defined as follows: + + +#include <windows.h> +#include <sys/cygwin.h> + +HANDLE +cygwin_logon_user (struct passwd *pw, const char *cleartext_password) + + +You can call that function as often as you want for different user +logons and remeber the access tokens for further calls to the second function. + + +#include <windows.h> +#include <sys/cygwin.h> + +void +cygwin_set_impersonation_token (HANDLE hToken); + + + is the call to inform Cygwin about the user context to which further +calls to setuid/seteuid should switch to. +While you need always the correct access token to do a +setuid/seteuid to another users context, +you are always able to use setuid/seteuid +to return to your own user context by giving your own uid as parameter. + +If you have remembered several access tokens from calls to +cygwin_logon_user you can switch to different user +contexts by observing the following order: + + + + cygwin_set_impersonation_token (user1_token); + seteuid (user1_uid); + +[...] + + seteuid (own_uid); + cygwin_set_impersonation_token (user2_token); + seteuid (user2_uid); + +[...] + + seteuid (own_uid); + cygwin_set_impersonation_token (user1_token); + seteuid (user1_uid); + +etc. + + + + + -- cgit v1.2.3