diff options
| -rw-r--r-- | winsup/cygwin/ChangeLog | 10 | ||||
| -rw-r--r-- | winsup/cygwin/autoload.cc | 1 | ||||
| -rw-r--r-- | winsup/cygwin/sec_helper.cc | 11 | ||||
| -rw-r--r-- | winsup/cygwin/security.cc | 17 | ||||
| -rw-r--r-- | winsup/cygwin/security.h | 2 |
5 files changed, 33 insertions, 8 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 884e169c7..918eb4d3b 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,13 @@ +2003-02-03 Pierre Humblet <pierre.humblet@ieee.org> + + * security.h: Add third argument to set_process_privilege. + * autoload.cc: Add OpenThreadToken. + * sec_helper.cc (set_process_privilege): Add and use use_thread + argument. + * security.cc (alloc_sd): Modify call to set_process_privilege. + Remember the result in each process. If failed and file owner is not + the user, fail. + 2003-02-03 Corinna Vinschen <corinna@vinschen.de> * fhandler_socket.cc (fhandler_socket::recvfrom): Return buffer diff --git a/winsup/cygwin/autoload.cc b/winsup/cygwin/autoload.cc index 916694056..3c21d1e29 100644 --- a/winsup/cygwin/autoload.cc +++ b/winsup/cygwin/autoload.cc @@ -352,6 +352,7 @@ LoadDLLfunc (LsaOpenPolicy, 16, advapi32) LoadDLLfunc (LsaQueryInformationPolicy, 12, advapi32) LoadDLLfunc (MakeSelfRelativeSD, 12, advapi32) LoadDLLfunc (OpenProcessToken, 12, advapi32) +LoadDLLfunc (OpenThreadToken, 16, advapi32) LoadDLLfunc (RegCloseKey, 4, advapi32) LoadDLLfunc (RegCreateKeyExA, 36, advapi32) LoadDLLfunc (RegDeleteKeyA, 8, advapi32) diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index 86389da74..9c49c0a59 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -294,7 +294,7 @@ got_it: #endif //unused int -set_process_privilege (const char *privilege, BOOL enable) +set_process_privilege (const char *privilege, bool enable, bool use_thread) { HANDLE hToken = NULL; LUID restore_priv; @@ -302,8 +302,12 @@ set_process_privilege (const char *privilege, BOOL enable) int ret = -1; DWORD size; - if (!OpenProcessToken (hMainProc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, - &hToken)) + if ((use_thread + && !OpenThreadToken (GetCurrentThread (), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, + 0, &hToken)) + ||(!use_thread + && !OpenProcessToken (hMainProc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, + &hToken))) { __seterrno (); goto out; @@ -329,7 +333,6 @@ set_process_privilege (const char *privilege, BOOL enable) be enabled. GetLastError () returns an correct error code, though. */ if (enable && GetLastError () == ERROR_NOT_ALL_ASSIGNED) { - debug_printf ("Privilege %s couldn't be assigned", privilege); __seterrno (); goto out; } diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index 617ec4612..224eff438 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -1563,9 +1563,20 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, } owner_sid.debug_print ("alloc_sd: owner SID ="); - /* Must have SE_RESTORE_NAME privilege to change owner */ - if (cur_owner_sid && owner_sid != cur_owner_sid - && set_process_privilege (SE_RESTORE_NAME) < 0 ) + /* Try turning privilege on, may not have WRITE_OWNER or WRITE_DAC access. + Must have privilege to set different owner, else BackupWrite misbehaves */ + static int NO_COPY saved_res; /* 0: never, 1: failed, 2 & 3: OK */ + int res; + if (!saved_res || cygheap->user.issetuid ()) + { + res = 2 + set_process_privilege (SE_RESTORE_NAME, true, + cygheap->user.issetuid ()); + if (!cygheap->user.issetuid ()) + saved_res = res; + } + else + res = saved_res; + if (res == 1 && owner_sid != cygheap->user.sid ()) return NULL; /* Get SID of new group. */ diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h index 7ed0307ce..a2a46a433 100644 --- a/winsup/cygwin/security.h +++ b/winsup/cygwin/security.h @@ -236,7 +236,7 @@ BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL /* sec_helper.cc: Security helper functions. */ BOOL __stdcall is_grp_member (__uid32_t uid, __gid32_t gid); -int set_process_privilege (const char *privilege, BOOL enable = TRUE); +int set_process_privilege (const char *privilege, bool enable = true, bool use_thread = false); /* shared.cc: */ /* Retrieve a security descriptor that allows all access */ |