diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2008-11-26 13:18:10 +0300 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2008-11-26 13:18:10 +0300 |
| commit | 51303cbd0c22d81d20d99934c71474809e72fa1a (patch) | |
| tree | 778b92b9b93a2137dd8b4dab3651185aae2b9129 /winsup/cygwin/syscalls.cc | |
| parent | 4163e9fbdb410867b4e5536ed02ac6fad938bb00 (diff) | |
* Makefile.in (DLL_OFILES): Add setlsapwd.o.
* cygserver.h (CYGWIN_SERVER_VERSION_API): Bump.
(request_code_t): Define CYGSERVER_REQUEST_SETPWD request type.
* cygserver_msg.h (client_request_msg::retval): Use default value of -1
for retval if msglen is 0.
* cygserver_sem.h (client_request_sem::retval): Ditto.
* cygserver_shm.h (client_request_shm::retval): Ditto.
* cygserver_setpwd.h: New file.
* external.cc (cygwin_internal): Implement new CW_SET_PRIV_KEY type.
* sec_auth.cc (open_local_policy): Make externally available.
Get ACCESS_MASK as argument.
(create_token): Accommodate change to open_local_policy.
(lsaauth): Ditto.
(lsaprivkeyauth): New function fetching token by retrieving
password stored in Cygwin or Interix LSA private data area and
calling LogonUser with it.
* security.h (lsaprivkeyauth): Declare.
(open_local_policy): Declare.
* setlsapwd.cc: New file implementing setting LSA private data password
using LsaStorePrivateData or by calling cygserver if available.
* syscalls.cc (seteuid32): Add workaround to get the original token
when switching back to the original privileged user, even if
setgroups group list is still active. Add long comment to explain why.
Call lsaprivkeyauth first, only if that fails call lsaauth or
create_token.
* include/cygwin/version.h: Bump API minor number.
* include/sys/cygwin.h (cygwin_getinfo_types): Add CW_SET_PRIV_KEY.
Diffstat (limited to 'winsup/cygwin/syscalls.cc')
| -rw-r--r-- | winsup/cygwin/syscalls.cc | 54 |
1 files changed, 43 insertions, 11 deletions
diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc index 9b39f7712..4590c37a8 100644 --- a/winsup/cygwin/syscalls.cc +++ b/winsup/cygwin/syscalls.cc @@ -2493,7 +2493,23 @@ seteuid32 (__uid32_t uid) cygheap->user.deimpersonate (); /* Verify if the process token is suitable. */ - if (verify_token (hProcToken, usersid, groups)) + /* TODO, CV 2008-11-25: The check against saved_sid is a kludge and a + shortcut. We must check if it's really feasible in the long run. + The reason to add this shortcut is this: sshd switches back to the + privileged user running sshd at least twice in the process of + authentication. It calls seteuid first, then setegid. Due to this + order, the setgroups group list is still active when calling seteuid + and verify_token treats the original token of the privileged user as + insufficient. This in turn results in creating a new user token for + the privileged user instead of using the orignal token. This can have + unfortunate side effects. The created token has different group + memberships, different user rights, and misses possible network + credentials. + Therefore we try this shortcut now. When switching back to the + privileged user, we probably always want a correct (aka original) + user token for this privileged user, not only in sshd. */ + if ((uid == cygheap->user.saved_uid && usersid == cygheap->user.saved_sid ()) + || verify_token (hProcToken, usersid, groups)) new_token = hProcToken; /* Verify if the external token is suitable */ else if (cygheap->user.external_token != NO_IMPERSONATION @@ -2514,19 +2530,35 @@ seteuid32 (__uid32_t uid) debug_printf ("Found token %d", new_token); - /* If no impersonation token is available, try to - authenticate using NtCreateToken () or LSA authentication. */ + /* If no impersonation token is available, try to authenticate using + LSA private data stored password, LSA authentication using our own + LSA module, or, as last chance, NtCreateToken. */ if (new_token == INVALID_HANDLE_VALUE) { - if (!(new_token = lsaauth (usersid, groups, pw_new))) - { - debug_printf ("lsaauth failed, try create_token."); - new_token = create_token (usersid, groups, pw_new); - if (new_token == INVALID_HANDLE_VALUE) + new_token = lsaprivkeyauth (pw_new); + if (new_token) + { + /* We have to verify this token since settings in /etc/group + might render it unusable im terms of group membership. */ + if (!verify_token (new_token, usersid, groups)) { - debug_printf ("create_token failed, bail out of here"); - cygheap->user.reimpersonate (); - return -1; + CloseHandle (new_token); + new_token = NULL; + } + } + if (!new_token) + { + debug_printf ("lsaprivkeyauth failed, try lsaauth."); + if (!(new_token = lsaauth (usersid, groups, pw_new))) + { + debug_printf ("lsaauth failed, try create_token."); + new_token = create_token (usersid, groups, pw_new); + if (new_token == INVALID_HANDLE_VALUE) + { + debug_printf ("create_token failed, bail out of here"); + cygheap->user.reimpersonate (); + return -1; + } } } |