Re: [PATCH] root-uid: new module

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

On Jun 26 18:18, Eric Blake wrote:
> [adding cygwin]
> 
> On 06/26/2012 06:12 PM, Paul Eggert wrote:
> > On 06/26/2012 05:01 PM, Eric Blake wrote:
> >> Rather than forcing comparison to a single value, would it be better to
> >> have a function is_privileged_uid(euid)?

Do you really need this functionality for an arbitrary uid as input?  Or
do you just want to know if the current process is running with a certain
privilege?

> > Yes, that sounds better.  I don't use Cygwin, though, so
> > I'm not qualified to write that.
> 
> Broadening the question, does the cygwin community have advice on the
> best implementation of a function that returns true if the argument is a
> uid with full privileges (for example, if the uid is a member of the
> Administrator group, and can therefore read files in spite of chown()
> disabling all the read permissions)?  We're trying to improve gnulib
> (and therefore coreutils, findutils, tar, ...) to use an
> implementation-appropriate check rather than the more traditional
> hard-coded check of uid==0, since that doesn't quite work everywhere.

Security in Windows is kind of complicated.  Not even the membership in
the group "Administrators" is a sure indicator that the current process
has the approriate rights.  In short, every process has a "user token"
attached which defines the permissions a process has, given as a list
of group memberships and a list of special privileges.  As an additional
twist, a privilege in the token can be enabled or disabled.  
Some of them, if disabled, are automatically enabled when calling
certain functions, others have to be enabled explicitely before calling
functions relying on the privilege.  There are no rules to that, other
than what's defined by the documentation.

I guess, the most platform-independent approach would be to encapsulate
the whole problem into a function requesting a specific capability along
the lines of the POSIX 1.e definitions, like, say

  if (has_capability (CAP_CHOWN))
    ...

The actual implementation of has_capability can then be defined in
a platform-specific file.  The default implementation of has_capability
would be something along the lines of

  int
  has_capability (int cap)
  {
    return geteuid () == 0;
  }

Systems supporting POSIX 1.e could use the appropriate functions,
Windows-based platforms would use an implementation based on the
Win32 functions to request the user token information.

As a sidenote, it would be nice if Cygwin would support the POSIX 1.e
capabilities, but nobody had the time or incentive to implement this
yet.  This might be a nice project for somebody who wants to contribute
to Cygwin, since its implementation is mostly independent from the
already existing functionality.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple