From 2c12a2c32a6fe43f8a74e2792ad15c65116c6e2c Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Thu, 24 Jan 2019 16:22:49 +0100 Subject: [PATCH] Cygwin: seteuid: refuse changing uid to disabled or locked out user So far seteuid could change uid to any existing account, given sufficient permissions of the caller. This is kind of bad since it disallows admins to refuse login to disabled or locked out accounts. Add check for the account's UF_ACCOUNTDISABLE or UF_LOCKOUT flags and don't let the user in, if one of the flags is set. Signed-off-by: Corinna Vinschen --- winsup/cygwin/release/2.12.0 | 3 +++ winsup/cygwin/sec_auth.cc | 15 +++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/winsup/cygwin/release/2.12.0 b/winsup/cygwin/release/2.12.0 index 5835952ee..c2abc9329 100644 --- a/winsup/cygwin/release/2.12.0 +++ b/winsup/cygwin/release/2.12.0 @@ -81,3 +81,6 @@ Bug Fixes - Fix thread names in GDB when cygthreads get reused. - Fix return value of gethostname in a border case. + +- Disallow seteuid on disabled or locked out accounts. + Addresses: https://cygwin.com/ml/cygwin/2019-01/msg00197.html diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index d4c2701da..8fdfa3a86 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -553,6 +553,21 @@ get_server_groups (cygsidlist &grp_list, PSID usersid) && sid_sub_auth (usersid, 0) == SECURITY_NT_NON_UNIQUE && get_logon_server (domain, server, DS_IS_FLAT_NAME)) { + NET_API_STATUS napi_stat; + USER_INFO_1 *ui1; + bool allow_user = false; + + napi_stat = NetUserGetInfo (server, user, 1, (LPBYTE *) &ui1); + if (napi_stat == NERR_Success) + allow_user = !(ui1->usri1_flags & (UF_ACCOUNTDISABLE | UF_LOCKOUT)); + if (ui1) + NetApiBufferFree (ui1); + if (!allow_user) + { + debug_printf ("User denied: %W\\%W", domain, user); + set_errno (EACCES); + return false; + } get_user_groups (server, grp_list, user, domain); get_user_local_groups (server, domain, grp_list, user); }