public inbox for cygwin-cvs@sourceware.org
help / color / mirror / Atom feed
From: Corinna Vinschen <corinna@sourceware.org>
To: cygwin-cvs@sourceware.org
Subject: [newlib-cygwin] Cygwin: seteuid: refuse changing uid to disabled or locked out user
Date: Thu, 24 Jan 2019 15:25:00 -0000 [thread overview]
Message-ID: <20190124152518.120929.qmail@sourceware.org> (raw)
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=2c12a2c32a6fe43f8a74e2792ad15c65116c6e2c
commit 2c12a2c32a6fe43f8a74e2792ad15c65116c6e2c
Author: Corinna Vinschen <corinna@vinschen.de>
Date: Thu Jan 24 16:22:49 2019 +0100
Cygwin: seteuid: refuse changing uid to disabled or locked out user
So far seteuid could change uid to any existing account, given
sufficient permissions of the caller. This is kind of bad since
it disallows admins to refuse login to disabled or locked out
accounts.
Add check for the account's UF_ACCOUNTDISABLE or UF_LOCKOUT flags
and don't let the user in, if one of the flags is set.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diff:
---
winsup/cygwin/release/2.12.0 | 3 +++
winsup/cygwin/sec_auth.cc | 15 +++++++++++++++
2 files changed, 18 insertions(+)
diff --git a/winsup/cygwin/release/2.12.0 b/winsup/cygwin/release/2.12.0
index 5835952..c2abc93 100644
--- a/winsup/cygwin/release/2.12.0
+++ b/winsup/cygwin/release/2.12.0
@@ -81,3 +81,6 @@ Bug Fixes
- Fix thread names in GDB when cygthreads get reused.
- Fix return value of gethostname in a border case.
+
+- Disallow seteuid on disabled or locked out accounts.
+ Addresses: https://cygwin.com/ml/cygwin/2019-01/msg00197.html
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index d4c2701..8fdfa3a 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -553,6 +553,21 @@ get_server_groups (cygsidlist &grp_list, PSID usersid)
&& sid_sub_auth (usersid, 0) == SECURITY_NT_NON_UNIQUE
&& get_logon_server (domain, server, DS_IS_FLAT_NAME))
{
+ NET_API_STATUS napi_stat;
+ USER_INFO_1 *ui1;
+ bool allow_user = false;
+
+ napi_stat = NetUserGetInfo (server, user, 1, (LPBYTE *) &ui1);
+ if (napi_stat == NERR_Success)
+ allow_user = !(ui1->usri1_flags & (UF_ACCOUNTDISABLE | UF_LOCKOUT));
+ if (ui1)
+ NetApiBufferFree (ui1);
+ if (!allow_user)
+ {
+ debug_printf ("User denied: %W\\%W", domain, user);
+ set_errno (EACCES);
+ return false;
+ }
get_user_groups (server, grp_list, user, domain);
get_user_local_groups (server, domain, grp_list, user);
}
reply other threads:[~2019-01-24 15:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190124152518.120929.qmail@sourceware.org \
--to=corinna@sourceware.org \
--cc=cygwin-cvs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).