Re: [PATCH] root-uid: new module

Re: [PATCH] root-uid: new module

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 998 bytes --]

[adding cygwin]

On 06/26/2012 06:12 PM, Paul Eggert wrote:
> On 06/26/2012 05:01 PM, Eric Blake wrote:
>> Rather than forcing comparison to a single value, would it be better to
>> have a function is_privileged_uid(euid)?
> 
> Yes, that sounds better.  I don't use Cygwin, though, so
> I'm not qualified to write that.

Broadening the question, does the cygwin community have advice on the
best implementation of a function that returns true if the argument is a
uid with full privileges (for example, if the uid is a member of the
Administrator group, and can therefore read files in spite of chown()
disabling all the read permissions)?  We're trying to improve gnulib
(and therefore coreutils, findutils, tar, ...) to use an
implementation-appropriate check rather than the more traditional
hard-coded check of uid==0, since that doesn't quite work everywhere.

-- 
Eric Blake   eblake@redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 620 bytes --]

Re: [PATCH] root-uid: new module

[Corinna Vinschen]

On Jun 26 18:18, Eric Blake wrote:
> [adding cygwin]
> 
> On 06/26/2012 06:12 PM, Paul Eggert wrote:
> > On 06/26/2012 05:01 PM, Eric Blake wrote:
> >> Rather than forcing comparison to a single value, would it be better to
> >> have a function is_privileged_uid(euid)?

Do you really need this functionality for an arbitrary uid as input?  Or
do you just want to know if the current process is running with a certain
privilege?

> > Yes, that sounds better.  I don't use Cygwin, though, so
> > I'm not qualified to write that.
> 
> Broadening the question, does the cygwin community have advice on the
> best implementation of a function that returns true if the argument is a
> uid with full privileges (for example, if the uid is a member of the
> Administrator group, and can therefore read files in spite of chown()
> disabling all the read permissions)?  We're trying to improve gnulib
> (and therefore coreutils, findutils, tar, ...) to use an
> implementation-appropriate check rather than the more traditional
> hard-coded check of uid==0, since that doesn't quite work everywhere.

Security in Windows is kind of complicated.  Not even the membership in
the group "Administrators" is a sure indicator that the current process
has the approriate rights.  In short, every process has a "user token"
attached which defines the permissions a process has, given as a list
of group memberships and a list of special privileges.  As an additional
twist, a privilege in the token can be enabled or disabled.  
Some of them, if disabled, are automatically enabled when calling
certain functions, others have to be enabled explicitely before calling
functions relying on the privilege.  There are no rules to that, other
than what's defined by the documentation.

I guess, the most platform-independent approach would be to encapsulate
the whole problem into a function requesting a specific capability along
the lines of the POSIX 1.e definitions, like, say

  if (has_capability (CAP_CHOWN))
    ...

The actual implementation of has_capability can then be defined in
a platform-specific file.  The default implementation of has_capability
would be something along the lines of

  int
  has_capability (int cap)
  {
    return geteuid () == 0;
  }

Systems supporting POSIX 1.e could use the appropriate functions,
Windows-based platforms would use an implementation based on the
Win32 functions to request the user token information.

As a sidenote, it would be nice if Cygwin would support the POSIX 1.e
capabilities, but nobody had the time or incentive to implement this
yet.  This might be a nice project for somebody who wants to contribute
to Cygwin, since its implementation is mostly independent from the
already existing functionality.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [PATCH] root-uid: new module

[Charles Wilson]

On 6/26/2012 8:18 PM, Eric Blake wrote:
> Broadening the question, does the cygwin community have advice on the
> best implementation of a function that returns true if the argument is a
> uid with full privileges (for example, if the uid is a member of the
> Administrator group, and can therefore read files in spite of chown()
> disabling all the read permissions)?  We're trying to improve gnulib
> (and therefore coreutils, findutils, tar, ...) to use an
> implementation-appropriate check rather than the more traditional
> hard-coded check of uid==0, since that doesn't quite work everywhere.

There is some support code for doing various Win32-related group/user
analysis like this in cygwin's login package.  The files you'd be
interested in -- winsec.c and winpriv.c, along with test_winsec.c --
were written by Chris Rodgers, me, and I'm sure Corinna contributed a
few patches along the way.  Those three files are under slightly
different licenses, but are MIT/X-ish.

--
Chuck

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [PATCH] root-uid: new module

[Paul Eggert]

On 06/27/2012 12:48 AM, Corinna Vinschen wrote:
> I guess, the most platform-independent approach would be to encapsulate
> the whole problem into a function requesting a specific capability along
> the lines of the POSIX 1.e definitions,

Some Gnulib code (e.g., unlinkdir.c) relies on the Solaris-defined
primitives in <priv.h> for that, e.g., priv_set_ismember (PRIV_SYS_LINKDIR)
to test whether the current process can unlink directories
(traditionally this required root privileges).

Presumably this sort of thing could be extended and ported to POSIX 1.e,
if someone wanted to do that.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [PATCH] root-uid: new module

[Charles Wilson]

On 6/27/2012 9:58 AM, Charles Wilson wrote:
> Those three files are under slightly
> different licenses, but are MIT/X-ish.

Oops, I should have scrolled down farther. Looks like winpriv.c was
further modified by Jari Aalto, and actually sports a GPLv2+ license
(and re-reading the license of the code Jari(?) adopted from Chris, it
seems like a combo of BSD with the MIT/X disclaimer tacked on). Either
way, it should be compatible with the needs of gnulib.

I, and I hope all those associated with the code, would be willing to
release it to gnulib under a plain old LGPLv3+ license -- or even a
more permissive one. (dunno if Chris Rodgers is still contactable, tho).

But before we try contacting everybody for a license change, take a look
and see if it even contains the stuff you want/need.

--
Chuck


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple