diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2001-05-01 01:19:42 +0400 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2001-05-01 01:19:42 +0400 |
| commit | 57ff940dd40a53ec03e5f2b079239b41bd9c2859 (patch) | |
| tree | 4de2380c00e04343fe81f4113a9142540901c4d4 /winsup/cygwin/spawn.cc | |
| parent | 965cecdfca617f99b5fab536e6f960201b12b2a4 (diff) | |
* autoload.cc: Add LoadDLLinitfunc for secur32.dll.
Add LoadDLLfuncEx statements for AllocateLocallyUniqueId@4,
DuplicateTokenEx@24, LsaNtStatusToWinError@4,
LsaDeregisterLogonProcess@4, LsaFreeReturnBuffer@4,
LsaLogonUser@56, LsaLookupAuthenticationPackage@12,
LsaRegisterLogonProcess@12,
* environ.cc: Add extern declaration for `subauth_id'.
(subauth_id_init): New function for setting `subauth_id'.
(struct parse_thing): Add entry for `subauth_id'.
* fork.cc (fork_parent): Call `RevertToSelf' and
`ImpersonateLoggedOnUser' instead of `seteuid'.
* security.cc: Define global variable `subauth_id'.
(extract_nt_dom_user): New function.
(cygwin_logon_user): Call `extract_nt_dom_user' now.
(str2lsa): New static function.
(str2buf2lsa): Ditto.
(str2buf2uni): Ditto.
(subauth): Ditto.
* security.h: Add prototype for `subauth'.
* spawn.cc (spawn_guts): Use cygheap->user.token only if impersonated.
Use `cygsid' type. Remove impersonation before allowing access to
workstation/desktop to everyone. Call `RevertToSelf' and
`ImpersonateLoggedOnUser' instead of `seteuid'.
* syscalls.cc (seteuid): Rearranged to allow using subauthentication
to retrieve user tokens when needed.
Diffstat (limited to 'winsup/cygwin/spawn.cc')
| -rw-r--r-- | winsup/cygwin/spawn.cc | 52 |
1 files changed, 25 insertions, 27 deletions
diff --git a/winsup/cygwin/spawn.cc b/winsup/cygwin/spawn.cc index 5ac823c8d..f67fa626a 100644 --- a/winsup/cygwin/spawn.cc +++ b/winsup/cygwin/spawn.cc @@ -578,7 +578,8 @@ skip_arg_parsing: /* Preallocated buffer for `sec_user' call */ char sa_buf[1024]; - if (!hToken && cygheap->user.token != INVALID_HANDLE_VALUE) + if (!hToken && cygheap->user.impersonated + && cygheap->user.token != INVALID_HANDLE_VALUE) hToken = cygheap->user.token; const char *runpath = null_app_name ? NULL : (const char *) real_path; @@ -607,6 +608,28 @@ skip_arg_parsing: } else { + cygsid sid; + DWORD ret_len; + if (!GetTokenInformation (hToken, TokenUser, &sid, sizeof sid, &ret_len)) + { + sid = NULL; + system_printf ("GetTokenInformation: %E"); + } + + /* Retrieve security attributes before setting psid to NULL + since it's value is needed by `sec_user'. */ + PSECURITY_ATTRIBUTES sec_attribs = allow_ntsec && sid + ? sec_user (sa_buf, sid) + : &sec_all_nih; + + /* Remove impersonation */ + if (cygheap->user.impersonated + && cygheap->user.token != INVALID_HANDLE_VALUE) + RevertToSelf (); + + /* Load users registry hive. */ + load_registry_hive (sid); + /* allow the child to interact with our window station/desktop */ HANDLE hwst, hdsk; SECURITY_INFORMATION dsi = DACL_SECURITY_INFORMATION; @@ -625,31 +648,6 @@ skip_arg_parsing: strcat (wstname, dskname); si.lpDesktop = wstname; - char tu[1024]; - PSID sid = NULL; - DWORD ret_len; - if (GetTokenInformation (hToken, TokenUser, - (LPVOID) &tu, sizeof tu, - &ret_len)) - sid = ((TOKEN_USER *) &tu)->User.Sid; - else - system_printf ("GetTokenInformation: %E"); - - /* Retrieve security attributes before setting psid to NULL - since it's value is needed by `sec_user'. */ - PSECURITY_ATTRIBUTES sec_attribs = allow_ntsec && sid - ? sec_user (sa_buf, sid) - : &sec_all_nih; - - /* Remove impersonation */ - uid_t uid = geteuid (); - if (cygheap->user.impersonated - && cygheap->user.token != INVALID_HANDLE_VALUE) - seteuid (cygheap->user.orig_uid); - - /* Load users registry hive. */ - load_registry_hive (sid); - rc = CreateProcessAsUser (hToken, runpath, /* image name - with full path */ one_line.buf, /* what was passed to exec */ @@ -666,7 +664,7 @@ skip_arg_parsing: if (mode != _P_OVERLAY && mode != _P_VFORK && cygheap->user.impersonated && cygheap->user.token != INVALID_HANDLE_VALUE) - seteuid (uid); + ImpersonateLoggedOnUser (cygheap->user.token); } MALLOC_CHECK; |