From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2155) id BDB3B395B079; Fri, 13 May 2022 12:38:52 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BDB3B395B079 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Corinna Vinschen To: cygwin-cvs@sourceware.org Subject: [newlib-cygwin] Cygwin: drop create_token and dependent functions X-Act-Checkin: newlib-cygwin X-Git-Author: Corinna Vinschen X-Git-Refname: refs/heads/master X-Git-Oldrev: a70a969c64a4f101fdfea8a13a886563e703b0d0 X-Git-Newrev: ca313dd8f4ceb7673c1c2fffb7da2c7bb291da30 Message-Id: <20220513123852.BDB3B395B079@sourceware.org> Date: Fri, 13 May 2022 12:38:52 +0000 (GMT) X-BeenThere: cygwin-cvs@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Cygwin core component git logs List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2022 12:38:52 -0000 https://sourceware.org/git/gitweb.cgi?p=3Dnewlib-cygwin.git;h=3Dca313dd8f4c= eb7673c1c2fffb7da2c7bb291da30 commit ca313dd8f4ceb7673c1c2fffb7da2c7bb291da30 Author: Corinna Vinschen Date: Mon Mar 7 11:29:42 2022 +0100 Cygwin: drop create_token and dependent functions =20 Given we only called create_token on W7 WOW64 anyway, we can now drop this function and all other functions only called from there entirely. =20 Signed-off-by: Corinna Vinschen Diff: --- winsup/cygwin/sec_auth.cc | 368 +-----------------------------------------= ---- winsup/cygwin/security.h | 2 - winsup/cygwin/spawn.cc | 8 +- winsup/cygwin/syscalls.cc | 23 +-- 4 files changed, 9 insertions(+), 392 deletions(-) diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index a7610c71f..a15778db0 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -379,41 +379,6 @@ sid_in_token_groups (PTOKEN_GROUPS grps, cygpsid sid) return false; } =20 -static void -get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps) -{ - if (my_grps) - { - grp_list +=3D well_known_local_sid; - grp_list +=3D well_known_console_logon_sid; - if (sid_in_token_groups (my_grps, well_known_dialup_sid)) - grp_list *=3D well_known_dialup_sid; - if (sid_in_token_groups (my_grps, well_known_network_sid)) - grp_list *=3D well_known_network_sid; - if (sid_in_token_groups (my_grps, well_known_batch_sid)) - grp_list *=3D well_known_batch_sid; - grp_list *=3D well_known_interactive_sid; -#if 0 - /* Don't add the SERVICE group when switching the user context. - That's much too dangerous, since the service group adds the - SE_IMPERSONATE_NAME privilege to the user. After all, the - process started with this token is not the service process - anymore anyway. */ - if (sid_in_token_groups (my_grps, well_known_service_sid)) - grp_list *=3D well_known_service_sid; -#endif - if (sid_in_token_groups (my_grps, well_known_this_org_sid)) - grp_list *=3D well_known_this_org_sid; - grp_list *=3D well_known_users_sid; - } - else - { - grp_list +=3D well_known_local_sid; - grp_list *=3D well_known_interactive_sid; - grp_list *=3D well_known_users_sid; - } -} - bool get_server_groups (cygsidlist &grp_list, PSID usersid, acct_disabled_chk_t check_account_disabled) @@ -470,180 +435,6 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, return true; } =20 -static bool -get_initgroups_sidlist (cygsidlist &grp_list, PSID usersid, PSID pgrpsid, - PTOKEN_GROUPS my_grps) -{ - if (well_known_system_sid !=3D usersid) - get_token_group_sidlist (grp_list, my_grps); - if (!get_server_groups (grp_list, usersid, CHK_DISABLED)) - return false; - - /* special_pgrp true if pgrpsid is not in normal groups */ - grp_list +=3D pgrpsid; - return true; -} - -static bool -get_setgroups_sidlist (cygsidlist &tmp_list, PSID usersid, - PTOKEN_GROUPS my_grps, user_groups &groups) -{ - get_token_group_sidlist (tmp_list, my_grps); - if (!get_server_groups (tmp_list, usersid, CHK_DISABLED)) - return false; - for (int gidx =3D 0; gidx < groups.sgsids.count (); gidx++) - tmp_list +=3D groups.sgsids.sids[gidx]; - tmp_list +=3D groups.pgsid; - return true; -} - -/* Fixed size TOKEN_PRIVILEGES list to reflect privileges given to the - SYSTEM account by default. */ -const struct -{ - DWORD PrivilegeCount; - LUID_AND_ATTRIBUTES Privileges[28]; -} sys_privs =3D -{ - 28, - { - { { SE_CREATE_TOKEN_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_ASSIGNPRIMARYTOKEN_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_LOCK_MEMORY_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_INCREASE_QUOTA_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_TCB_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_SECURITY_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_TAKE_OWNERSHIP_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_LOAD_DRIVER_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_SYSTEM_PROFILE_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_SYSTEMTIME_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_PROF_SINGLE_PROCESS_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_INC_BASE_PRIORITY_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_CREATE_PAGEFILE_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_CREATE_PERMANENT_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_BACKUP_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_RESTORE_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_SHUTDOWN_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_DEBUG_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_AUDIT_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_SYSTEM_ENVIRONMENT_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_CHANGE_NOTIFY_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_UNDOCK_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_MANAGE_VOLUME_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_IMPERSONATE_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_CREATE_GLOBAL_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_INCREASE_WORKING_SET_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_TIME_ZONE_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { { SE_CREATE_SYMBOLIC_LINK_PRIVILEGE, 0 }, - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT } - } -}; - -static PTOKEN_PRIVILEGES -get_priv_list (LSA_HANDLE lsa, cygsid &usersid, cygsidlist &grp_list, - size_t &size, cygpsid *mandatory_integrity_sid) -{ - PLSA_UNICODE_STRING privstrs; - ULONG cnt; - PTOKEN_PRIVILEGES privs =3D NULL; - - if (usersid =3D=3D well_known_system_sid) - { - if (mandatory_integrity_sid) - *mandatory_integrity_sid =3D mandatory_system_integrity_sid; - return (PTOKEN_PRIVILEGES) &sys_privs; - } - - if (mandatory_integrity_sid) - *mandatory_integrity_sid =3D mandatory_medium_integrity_sid; - - for (int grp =3D -1; grp < grp_list.count (); ++grp) - { - if (grp =3D=3D -1) - { - if (LsaEnumerateAccountRights (lsa, usersid, &privstrs, &cnt) - !=3D STATUS_SUCCESS) - continue; - } - else if (LsaEnumerateAccountRights (lsa, grp_list.sids[grp], - &privstrs, &cnt) !=3D STATUS_SUCCESS) - continue; - for (ULONG i =3D 0; i < cnt; ++i) - { - LUID priv; - PTOKEN_PRIVILEGES tmp; - DWORD tmp_count; - bool high_integrity; - - if (!privilege_luid (privstrs[i].Buffer, priv, high_integrity)) - continue; - - if (privs) - { - DWORD pcnt =3D privs->PrivilegeCount; - LUID_AND_ATTRIBUTES *p =3D privs->Privileges; - for (; pcnt > 0; --pcnt, ++p) - if (priv.HighPart =3D=3D p->Luid.HighPart - && priv.LowPart =3D=3D p->Luid.LowPart) - goto next_account_right; - } - - tmp_count =3D privs ? privs->PrivilegeCount : 0; - size =3D sizeof (DWORD) - + (tmp_count + 1) * sizeof (LUID_AND_ATTRIBUTES); - tmp =3D (PTOKEN_PRIVILEGES) realloc (privs, size); - if (!tmp) - { - if (privs) - free (privs); - LsaFreeMemory (privstrs); - debug_printf ("realloc (privs) failed."); - return NULL; - } - tmp->PrivilegeCount =3D tmp_count; - privs =3D tmp; - privs->Privileges[privs->PrivilegeCount].Luid =3D priv; - privs->Privileges[privs->PrivilegeCount].Attributes =3D - SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT; - ++privs->PrivilegeCount; - if (mandatory_integrity_sid && high_integrity) - *mandatory_integrity_sid =3D mandatory_high_integrity_sid; - - next_account_right: - ; - } - LsaFreeMemory (privstrs); - } - return privs; -} - /* Accept a token if - the requested usersid matches the TokenUser and - if setgroups has been called: @@ -654,9 +445,8 @@ get_priv_list (LSA_HANDLE lsa, cygsid &usersid, cygsidl= ist &grp_list, they match and verify only the primary groups. The requested primary group must appear in the token. The primary group in the token is a group associated with the usersid, - except if the token is internal and the group is in the token SD - (see create_token). In that latter case that group must match the - requested primary group. */ + except if the token is internal and the group is in the token SD. In + that latter case that group must match the requested primary group. */ bool verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pi= ntern) { @@ -786,160 +576,6 @@ account_restriction (NTSTATUS status) return type; } =20 -HANDLE -create_token (cygsid &usersid, user_groups &new_groups) -{ - NTSTATUS status; - LSA_HANDLE lsa =3D NULL; - - cygsidlist tmp_gsids (cygsidlist_auto, 12); - - SECURITY_QUALITY_OF_SERVICE sqos =3D - { sizeof sqos, SecurityImpersonation, SECURITY_STATIC_TRACKING, FALSE = }; - OBJECT_ATTRIBUTES oa =3D { sizeof oa, 0, 0, 0, 0, &sqos }; - /* Up to Windows 7, when using an authentication LUID other than "Anonym= ous", - Windows whoami prints the wrong username, the one from the login sess= ion, - not the one from the actual user token of the process. This is appar= ently - fixed in Windows 8. However, starting with Windows 8, access rights = of - the anonymous logon session is further restricted. Therefore we crea= te - the new user token with the authentication id of the local service - account. Hopefully that's sufficient. */ - const LUID auth_luid_7 =3D ANONYMOUS_LOGON_LUID; - const LUID auth_luid_8 =3D LOCALSERVICE_LUID; - LUID auth_luid =3D wincap.has_broken_whoami () ? auth_luid_7 : auth_luid= _8; - LARGE_INTEGER exp =3D { QuadPart:INT64_MAX }; - - TOKEN_USER user; - PTOKEN_GROUPS new_tok_gsids =3D NULL; - PTOKEN_PRIVILEGES privs =3D NULL; - TOKEN_OWNER owner; - TOKEN_PRIMARY_GROUP pgrp; - TOKEN_DEFAULT_DACL dacl =3D {}; - TOKEN_SOURCE source; - TOKEN_STATISTICS stats; - memcpy (source.SourceName, "Cygwin.1", 8); - source.SourceIdentifier.HighPart =3D 0; - source.SourceIdentifier.LowPart =3D 0x0101; - - HANDLE token =3D NULL; - HANDLE primary_token =3D NULL; - - tmp_pathbuf tp; - PTOKEN_GROUPS my_tok_gsids =3D NULL; - cygpsid mandatory_integrity_sid; - ULONG size; - size_t psize =3D 0; - - /* SE_CREATE_TOKEN_NAME privilege needed to call NtCreateToken. */ - push_self_privilege (SE_CREATE_TOKEN_PRIVILEGE, true); - - /* Open policy object. */ - if (!(lsa =3D lsa_open_policy (NULL, POLICY_EXECUTE))) - goto out; - - /* User, owner, primary group. */ - user.User.Sid =3D usersid; - user.User.Attributes =3D 0; - owner.Owner =3D usersid; - - /* Retrieve authentication id and group list from own process. */ - if (hProcToken) - { - /* Switching user context to SYSTEM doesn't inherit the authenticati= on - id of the user account running current process. */ - if (usersid =3D=3D well_known_system_sid) - /* nothing to do */; - else - { - status =3D NtQueryInformationToken (hProcToken, TokenStatistics, - &stats, sizeof stats, &size); - if (!NT_SUCCESS (status)) - debug_printf ("NtQueryInformationToken(hProcToken, " - "TokenStatistics), %y", status); - } - - /* Retrieving current processes group list to be able to inherit - some important well known group sids. */ - my_tok_gsids =3D (PTOKEN_GROUPS) tp.w_get (); - status =3D NtQueryInformationToken (hProcToken, TokenGroups, my_tok_= gsids, - 2 * NT_MAX_PATH, &size); - if (!NT_SUCCESS (status)) - { - debug_printf ("NtQueryInformationToken(hProcToken, TokenGroups), " - "%y", status); - my_tok_gsids =3D NULL; - } - } - - /* Create list of groups, the user is member in. */ - if (new_groups.issetgroups ()) - { - if (!get_setgroups_sidlist (tmp_gsids, usersid, my_tok_gsids, new_gr= oups)) - goto out; - } - else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid, - my_tok_gsids)) - goto out; - - /* Primary group. */ - pgrp.PrimaryGroup =3D new_groups.pgsid; - - /* Create a TOKEN_GROUPS list from the above retrieved list of sids. */ - new_tok_gsids =3D (PTOKEN_GROUPS) - alloca (sizeof (DWORD) + (tmp_gsids.count () + 1) - * sizeof (SID_AND_ATTRIBUTES)); - new_tok_gsids->GroupCount =3D tmp_gsids.count (); - for (DWORD i =3D 0; i < new_tok_gsids->GroupCount; ++i) - { - new_tok_gsids->Groups[i].Sid =3D tmp_gsids.sids[i]; - new_tok_gsids->Groups[i].Attributes =3D SE_GROUP_MANDATORY - | SE_GROUP_ENABLED_BY_DEFAULT - | SE_GROUP_ENABLED; - } - - /* Retrieve list of privileges of that user. Based on the usersid and - the returned privileges, get_priv_list sets the mandatory_integrity_s= id - pointer to the correct MIC SID for UAC. */ - if (!(privs =3D get_priv_list (lsa, usersid, tmp_gsids, psize, - &mandatory_integrity_sid))) - goto out; - - new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes =3D - SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED; - new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid - =3D mandatory_integrity_sid; - - /* Let's be heroic... */ - status =3D NtCreateToken (&token, TOKEN_ALL_ACCESS, &oa, TokenImpersonat= ion, - &auth_luid, &exp, &user, new_tok_gsids, privs, &owner, - &pgrp, &dacl, &source); - if (status) - __seterrno_from_nt_status (status); - else - { - /* Convert to primary token. */ - if (!DuplicateTokenEx (token, MAXIMUM_ALLOWED, &sec_none, - SecurityImpersonation, TokenPrimary, - &primary_token)) - { - __seterrno (); - debug_printf ("DuplicateTokenEx %E"); - primary_token =3D NULL; - } - } - -out: - pop_self_privilege (); - if (token !=3D INVALID_HANDLE_VALUE) - CloseHandle (token); - if (privs && privs !=3D (PTOKEN_PRIVILEGES) &sys_privs) - free (privs); - lsa_close_policy (lsa); - - debug_printf ("%p =3D create_token ()", primary_token); - return primary_token; -} - #define SFU_LSA_KEY_SUFFIX L"_microsoft_sfu_utility" =20 HANDLE diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h index 3e6688cd9..651f6d0e8 100644 --- a/winsup/cygwin/security.h +++ b/winsup/cygwin/security.h @@ -457,8 +457,6 @@ int setacl (HANDLE, path_conv &, int, struct acl *, boo= l &); =20 /* Set impersonation or restricted token. */ void set_imp_token (HANDLE token, int type); -/* Function creating a token by calling NtCreateToken. */ -HANDLE create_token (cygsid &usersid, user_groups &groups); /* LSA private key storage authentication, same as when using service logo= ns. */ HANDLE lsaprivkeyauth (struct passwd *pw); /* Kerberos or MsV1 S4U logon. */ diff --git a/winsup/cygwin/spawn.cc b/winsup/cygwin/spawn.cc index c9e1fb6d2..98b588698 100644 --- a/winsup/cygwin/spawn.cc +++ b/winsup/cygwin/spawn.cc @@ -752,11 +752,9 @@ child_info_spawn::worker (const char *prog_arg, const = char *const *argv, sa =3D sec_user ((PSECURITY_ATTRIBUTES) alloca (1024), ::cygheap->user.sid ()); /* We're creating a window station per user, not per logon - session First of all we might not have a valid logon session - for the user (logon by create_token), and second, it doesn't - make sense in terms of security to create a new window - station for every logon of the same user. It just fills up - the system with window stations for no good reason. */ + session. It doesn't make sense in terms of security to + create a new window station for every logon of the same user. + It just fills up the system with window stations. */ hwst =3D CreateWindowStationW (::cygheap->user.get_windows_id (sid), 0, GENERIC_READ | GENERIC_WRITE, sa); if (!hwst) diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc index b68d1f215..3a652c4f4 100644 --- a/winsup/cygwin/syscalls.cc +++ b/winsup/cygwin/syscalls.cc @@ -3607,8 +3607,7 @@ seteuid32 (uid_t uid) debug_printf ("Found token %p", new_token); =20 /* If no impersonation token is available, try to authenticate using - LSA private data stored password, LSA authentication using our own - LSA module, or, as last chance, NtCreateToken. */ + LSA private data stored password, or, if that fails, S4U logon. */ if (new_token =3D=3D NULL) { if (!(new_token =3D lsaprivkeyauth (pw_new))) @@ -3621,23 +3620,9 @@ seteuid32 (uid_t uid) extract_nt_dom_user (pw_new, domain, user); if (!(new_token =3D s4uauth (true, domain, user, status))) { - if (status !=3D STATUS_INVALID_PARAMETER) - { - debug_printf ("s4uauth failed, bail out"); - cygheap->user.reimpersonate (); - return -1; - } - /* If s4uauth fails with status code STATUS_INVALID_PARAMETER, - we're running on a system not implementing MsV1_0S4ULogon - (Windows 7 WOW64). Fall back to create_token in this single - case only. */ - debug_printf ("s4uauth failed, try create_token."); - if (!(new_token =3D create_token (usersid, groups))) - { - debug_printf ("create_token failed, bail out"); - cygheap->user.reimpersonate (); - return -1; - } + debug_printf ("s4uauth failed, bail out"); + cygheap->user.reimpersonate (); + return -1; } }