diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2006-11-08 14:38:05 +0300 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2006-11-08 14:38:05 +0300 |
| commit | 2fd2ddf3f5bacc7cccc9ac2d32b8024125808b6e (patch) | |
| tree | 1ea1f194b7aa34ea6837b16c23bc2214203518cc /winsup/cygwin/security.cc | |
| parent | 86bc8fadff6523470b68b9838fe7af2e55f3b5a3 (diff) | |
* sec_helper.cc (sid_auth): Remove.
(well_known_this_org_sid): New well known sid.
(SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Define.
(mandatory_medium_integrity_sid): New well known sid.
(mandatory_high_integrity_sid): Ditto.
(mandatory_system_integrity_sid): Ditto.
(cygsid::get_sid): Use local SID_IDENTIFIER_AUTHORITY. Allow all
authorities fitting in a UCHAR.
* security.cc (get_token_group_sidlist): Always add the local
group to the token. Add comment. Add "This Organization" group
if available in incoming group list.
(get_server_groups): Only add world and authenticated users groups
if not already in list.
(create_token): Add matching mandatory integrity SID to group list
on systems supporting Mandatory Integrity Control.
* security.h (well_known_this_org_sid): Define.
(mandatory_medium_integrity_sid): Define.
(mandatory_high_integrity_sid): Define.
(mandatory_system_integrity_sid): Define.
* wincap.h: Define has_mandatory_integrity_control throughout.
* wincap.cc: Ditto.
Diffstat (limited to 'winsup/cygwin/security.cc')
| -rw-r--r-- | winsup/cygwin/security.cc | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index f3a9f87a3..4ecede8a3 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -493,7 +493,9 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps, auth_pos = -1; if (my_grps) { - if (sid_in_token_groups (my_grps, well_known_local_sid)) + /* In Vista the Local SID is missing in a token constructed by + subauthentication. We add the group unconditionally now. */ + /*if (sid_in_token_groups (my_grps, well_known_local_sid))*/ grp_list += well_known_local_sid; if (sid_in_token_groups (my_grps, well_known_dialup_sid)) grp_list += well_known_dialup_sid; @@ -509,6 +511,8 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps, grp_list += well_known_interactive_sid; if (sid_in_token_groups (my_grps, well_known_service_sid)) grp_list += well_known_service_sid; + if (sid_in_token_groups (my_grps, well_known_this_org_sid)) + grp_list += well_known_this_org_sid; } else { @@ -542,8 +546,10 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw) return true; } - grp_list += well_known_world_sid; - grp_list += well_known_authenticated_users_sid; + if (!grp_list.contains (well_known_world_sid)) + grp_list += well_known_world_sid; + if (!grp_list.contains (well_known_authenticated_users_sid)) + grp_list += well_known_authenticated_users_sid; extract_nt_dom_user (pw, domain, user); if (get_logon_server (domain, server, wserver, false) && !get_user_groups (wserver, grp_list, user, domain) @@ -928,6 +934,15 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw, else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid, pw, my_tok_gsids, auth_luid, auth_pos)) goto out; + if (wincap.has_mandatory_integrity_control ()) + { + if (usersid == well_known_system_sid) + tmp_gsids += mandatory_system_integrity_sid; + else if (tmp_gsids.contains (well_known_admins_sid)) + tmp_gsids += mandatory_high_integrity_sid; + else + tmp_gsids += mandatory_medium_integrity_sid; + } /* Primary group. */ pgrp.PrimaryGroup = new_groups.pgsid; |