* autoload.cc: Add LoadDLLfunc statements for SetTokenInformation@16.

        * cygheap.cc: Include security.h.
        * grp.cc (internal_getgrent): New function.
        (getgroups): Rearranged using `internal_getgrent' and the new
        `cygsid' class.
        * passwd.cc (internal_getpwent): New function.
        * sec_acl.cc: Use new `cygsid' class throughout.
        (acl_access): Use `internal_getgrent' instead of `getgrent'.
        * sec_helper.cc: Use new `cygsid' class throughout.
        (get_id_from_sid): Use `internal_getgrent' instead of `getgrent'.
        Use `internal_getpwent' instead of `getpwent'.
        * security.cc: Use new `cygsid' class throughout.
        * security.h: Move `MAX_SID_LEN' from winsup.h to here.
        Add extern declarations for `internal_getgrent' and `internal_getpwent'.
        (class cygsid): New class.
        * shared.cc (sec_user): Use new `cygsid' class.
        * syscalls.cc (seteuid): Try to set owner to user and primary group to
        current group in impersonation token before performing impersonation.
        (setegid): Try to set primary group in process token to the new group
        if ntsec is on.
        * uinfo.cc (internal_getlogin): Use new `cygsid' class.
        Try to set owner to user and primary group to current group in process
        token if the process has been started from a non cygwin process.
        (uinfo_init): Set primary group only if the process has been started
        from a non cygwin process.
        * winsup.h: Move define for `MAX_SID_LEN' to security.h.

1 files changed, 36 insertions, 16 deletions

diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc
index 6bf5debba..eb3f6ff81 100644
--- a/winsup/cygwin/uinfo.cc
+++ b/winsup/cygwin/uinfo.cc
@@ -115,7 +115,7 @@ internal_getlogin (cygheap_user &user)
 	  HANDLE ptok = user.token; /* Which is INVALID_HANDLE_VALUE if no
 				       impersonation took place. */
 	  DWORD siz;
-	  char tu[1024];
+	  cygsid tu;
 	  int ret = 0;
 
 	  /* Try to get the SID either from already impersonated token
@@ -123,18 +123,14 @@ internal_getlogin (cygheap_user &user)
 	     important, because you can't rely on the user information
 	     in a process token of a currently impersonated process. */
 	  if (ptok == INVALID_HANDLE_VALUE
-	      && !OpenProcessToken (GetCurrentProcess (), TOKEN_QUERY, &ptok))
+	      && !OpenProcessToken (GetCurrentProcess (),
+	      			    TOKEN_ADJUST_DEFAULT | TOKEN_QUERY,
+				    &ptok))
 	    debug_printf ("OpenProcessToken(): %E\n");
-	  else if (!GetTokenInformation (ptok, TokenUser, (LPVOID) &tu,
-					 sizeof tu, &siz))
+	  else if (!GetTokenInformation (ptok, TokenUser, &tu, sizeof tu, &siz))
 	    debug_printf ("GetTokenInformation(): %E");
-	  else if (!(ret = user.set_sid (((TOKEN_USER *) &tu)->User.Sid)))
+	  else if (!(ret = user.set_sid (tu)))
 	    debug_printf ("Couldn't retrieve SID from access token!");
-	  /* Close token only if it's a result from OpenProcessToken(). */
-	  if (ptok != INVALID_HANDLE_VALUE
-	      && user.token == INVALID_HANDLE_VALUE)
-	    CloseHandle (ptok);
-
 	  /* If that failes, try to get the SID from localhost. This can only
 	     be done if a domain is given because there's a chance that a local
 	     and a domain user may have the same name. */
@@ -146,7 +142,7 @@ internal_getlogin (cygheap_user &user)
 		debug_printf ("Couldn't retrieve SID locally!");
 	    }
 
-	  /* If that failes, too, as a last resort try to get the SID from
+	  /* If that fails, too, as a last resort try to get the SID from
 	     the logon server. */
 	  if (!ret && !(ret = lookup_name (user.name (), user.logsrv (),
 					  user.sid ())))
@@ -154,11 +150,11 @@ internal_getlogin (cygheap_user &user)
 
 	  /* If we have a SID, try to get the corresponding Cygwin user name
 	     which can be different from the Windows user name. */
+	  cygsid gsid (NULL);
 	  if (ret)
 	    {
 	      struct passwd *pw;
-	      char psidbuf[MAX_SID_LEN];
-	      PSID psid = (PSID) psidbuf;
+	      cygsid psid;
 
 	      if (!strcasematch (user.name (), "SYSTEM")
 		  && user.domain () && user.logsrv ())
@@ -166,14 +162,35 @@ internal_getlogin (cygheap_user &user)
 		  if (get_registry_hive_path (user.sid (), buf))
 		    setenv ("USERPROFILE", buf, 1);
 		}
-	      while ((pw = getpwent ()) != NULL)
+	      for (int pidx = 0; (pw = internal_getpwent (pidx)); ++pidx)
 		if (get_pw_sid (psid, pw) && EqualSid (user.sid (), psid))
 		  {
 		    user.set_name (pw->pw_name);
+		    struct group *gr = getgrgid (pw->pw_gid);
+		    if (gr)
+		      if (!get_gr_sid (gsid.set (), gr))
+			  gsid = NULL;
 		    break;
 		  }
-	      endpwent ();
 	    }
+
+	  /* If this process is started from a non Cygwin process,
+	     set token owner to the same value as token user and
+	     primary group to the group which is set as primary group
+	     in /etc/passwd. */
+	  if (ptok != INVALID_HANDLE_VALUE && myself->ppid == 1)
+	    {
+	      if (!SetTokenInformation (ptok, TokenOwner, &tu, sizeof tu))
+		debug_printf ("SetTokenInformation(TokenOwner): %E");
+	      if (gsid && !SetTokenInformation (ptok, TokenPrimaryGroup,
+		  			        &gsid, sizeof gsid))
+		debug_printf ("SetTokenInformation(TokenPrimaryGroup): %E");
+	    }
+
+	  /* Close token only if it's a result from OpenProcessToken(). */
+	  if (ptok != INVALID_HANDLE_VALUE
+	      && user.token == INVALID_HANDLE_VALUE)
+	    CloseHandle (ptok);
 	}
     }
   debug_printf ("Cygwins Username: %s", user.name ());
@@ -198,7 +215,10 @@ uinfo_init ()
     if ((p = getpwnam (internal_getlogin (cygheap->user))) != NULL)
       {
 	myself->uid = p->pw_uid;
-	myself->gid = p->pw_gid;
+	/* Set primary group only if ntsec is off or the process has been
+	   started from a non cygwin process. */
+	if (!allow_ntsec || myself->ppid == 1)
+	  myself->gid = p->pw_gid;
       }
     else
       {