From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5677 invoked by alias); 10 Feb 2002 19:34:07 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Received: (qmail 5536 invoked from network); 10 Feb 2002 19:34:05 -0000 Received: from unknown (HELO 193.55.114.200) (193.55.114.200) by sources.redhat.com with SMTP; 10 Feb 2002 19:34:05 -0000 Received: from [127.0.0.1] (helo=Pierre) by 193.55.114.200 with smtp (Exim 3.953) id 16ZzkW-03Lvwt-00 for cygwin@cygwin.com; Sun, 10 Feb 2002 14:34:57 -0500 Message-Id: <3.0.5.32.20020210143455.007f2100@pop.ne.mediaone.net> X-Sender: phumblet@pop.ne.mediaone.net (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sun, 10 Feb 2002 11:34:00 -0000 To: Corinna Vinschen From: "Pierre A. Humblet" Subject: More security issues Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-SW-Source: 2002-02/txt/msg00510.txt.bz2 Hi Corinna, I have some free time and easy access to an NT so I came back to security issues. As you recall, in setegid(), setting the PrimaryGroup in the process token isn't reliable and was #if'ed out. Consequently non-cygwin subprocesses may create objects with the wrong primary group. I tried to fix that by setting the primary group based on getegid() in the security descriptor created in sec_user(). To my surprise that didn't have any effect. In fact sec_user() doesn't seem to have much effect at all! It creates an ACL with 4 or 5 ACE's, but my token printing program only shows two ACE's in the process tokens: admins and system. I wonder what the sa in CreateProcess really does... The only thing that has an effect is the Inherit flag. In the course of debugging I also noticed that the sid2 passed to sec_user() from just before CreateProcessAsUser() is useless. It is actually equal to the sid that sec_user() gets from cygheap->user.sid () [cygheap->user is set in seteuid()] All of this effort was motivated by weird access issues to the impersonation token. I can fix that by opening the thread token security descriptor after ImpersonateLoggedOnUser() in seteuid() and changing the ACL (using the ACL from sec_user(), that works!). Unfortunately the work must be redone each time the sequence RevertToSelf(), ..., ImpersonateLoggedOnUser() occurs. It would be much better if we could get the sd to have an effect in DuplicateTokenEx() [in create_token(), security.cc]. That may be related to what I observed above. Any ideas? Back to setegid(), another safe way would be to RevertToSelf(),..,Impersonate..() if currently impersonated. That's because there is also a RevertToSelf() before CreateProcessAsUser() Why is there one, by the way? Microsoft seems to suggest working in the security context of the new user. It says it's useful if the executable is only executable by the new user. Pierre P.S.: please cc me directly. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/