diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 09f0db989..ef85b78b8 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,27 @@ +2006-11-08 Corinna Vinschen + + * sec_helper.cc (sid_auth): Remove. + (well_known_this_org_sid): New well known sid. + (SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Define. + (mandatory_medium_integrity_sid): New well known sid. + (mandatory_high_integrity_sid): Ditto. + (mandatory_system_integrity_sid): Ditto. + (cygsid::get_sid): Use local SID_IDENTIFIER_AUTHORITY. Allow all + authorities fitting in a UCHAR. + * security.cc (get_token_group_sidlist): Always add the local + group to the token. Add comment. Add "This Organization" group + if available in incoming group list. + (get_server_groups): Only add world and authenticated users groups + if not already in list. + (create_token): Add matching mandatory integrity SID to group list + on systems supporting Mandatory Integrity Control. + * security.h (well_known_this_org_sid): Define. + (mandatory_medium_integrity_sid): Define. + (mandatory_high_integrity_sid): Define. + (mandatory_system_integrity_sid): Define. + * wincap.h: Define has_mandatory_integrity_control throughout. + * wincap.cc: Ditto. + 2006-11-07 Corinna Vinschen * fhandler.cc (check_posix_perm): Moved here from syscalls.cc. diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index 4bcca81a5..e7f65f840 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -38,15 +38,6 @@ SECURITY_ATTRIBUTES NO_COPY sec_none_nih; SECURITY_ATTRIBUTES NO_COPY sec_all; SECURITY_ATTRIBUTES NO_COPY sec_all_nih; -SID_IDENTIFIER_AUTHORITY NO_COPY sid_auth[] = { - {SECURITY_NULL_SID_AUTHORITY}, - {SECURITY_WORLD_SID_AUTHORITY}, - {SECURITY_LOCAL_SID_AUTHORITY}, - {SECURITY_CREATOR_SID_AUTHORITY}, - {SECURITY_NON_UNIQUE_AUTHORITY}, - {SECURITY_NT_AUTHORITY} -}; - SID (well_known_null_sid, "S-1-0-0", SECURITY_NULL_SID_AUTHORITY, 1, SECURITY_NULL_RID); SID (well_known_world_sid, "S-1-1-0", @@ -69,12 +60,23 @@ SID (well_known_service_sid, "S-1-5-6", SECURITY_NT_AUTHORITY, 1, SECURITY_SERVICE_RID); SID (well_known_authenticated_users_sid, "S-1-5-11", SECURITY_NT_AUTHORITY, 1, SECURITY_AUTHENTICATED_USER_RID); +SID (well_known_this_org_sid, "S-1-5-15", + SECURITY_NT_AUTHORITY, 1, 15); SID (well_known_system_sid, "S-1-5-18", SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SYSTEM_RID); SID (well_known_admins_sid, "S-1-5-32-544", SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS); +#define SECURITY_MANDATORY_INTEGRITY_AUTHORITY {0,0,0,0,0,16} + +SID (mandatory_medium_integrity_sid, "S-1-64-8192", + SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 8192); +SID (mandatory_high_integrity_sid, "S-1-64-12288", + SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 12288); +SID (mandatory_system_integrity_sid, "S-1-64-16384", + SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 16384); + bool cygpsid::operator== (const char *nsidstr) const { @@ -136,14 +138,16 @@ PSID cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r) { DWORD i; + SID_IDENTIFIER_AUTHORITY sid_auth = {0,0,0,0,0,0}; - if (s > 5 || cnt < 1 || cnt > 8) + if (s > 255 || cnt < 1 || cnt > 8) { psid = NO_SID; return NULL; } + sid_auth.Value[5] = s; set (); - InitializeSid (psid, &sid_auth[s], cnt); + InitializeSid (psid, &sid_auth, cnt); for (i = 0; i < cnt; ++i) memcpy ((char *) psid + 8 + sizeof (DWORD) * i, &r[i], sizeof (DWORD)); return psid; diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index f3a9f87a3..4ecede8a3 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -493,7 +493,9 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps, auth_pos = -1; if (my_grps) { - if (sid_in_token_groups (my_grps, well_known_local_sid)) + /* In Vista the Local SID is missing in a token constructed by + subauthentication. We add the group unconditionally now. */ + /*if (sid_in_token_groups (my_grps, well_known_local_sid))*/ grp_list += well_known_local_sid; if (sid_in_token_groups (my_grps, well_known_dialup_sid)) grp_list += well_known_dialup_sid; @@ -509,6 +511,8 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps, grp_list += well_known_interactive_sid; if (sid_in_token_groups (my_grps, well_known_service_sid)) grp_list += well_known_service_sid; + if (sid_in_token_groups (my_grps, well_known_this_org_sid)) + grp_list += well_known_this_org_sid; } else { @@ -542,8 +546,10 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw) return true; } - grp_list += well_known_world_sid; - grp_list += well_known_authenticated_users_sid; + if (!grp_list.contains (well_known_world_sid)) + grp_list += well_known_world_sid; + if (!grp_list.contains (well_known_authenticated_users_sid)) + grp_list += well_known_authenticated_users_sid; extract_nt_dom_user (pw, domain, user); if (get_logon_server (domain, server, wserver, false) && !get_user_groups (wserver, grp_list, user, domain) @@ -928,6 +934,15 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw, else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid, pw, my_tok_gsids, auth_luid, auth_pos)) goto out; + if (wincap.has_mandatory_integrity_control ()) + { + if (usersid == well_known_system_sid) + tmp_gsids += mandatory_system_integrity_sid; + else if (tmp_gsids.contains (well_known_admins_sid)) + tmp_gsids += mandatory_high_integrity_sid; + else + tmp_gsids += mandatory_medium_integrity_sid; + } /* Primary group. */ pgrp.PrimaryGroup = new_groups.pgsid; diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h index f4e4f2be2..fd52b93cc 100644 --- a/winsup/cygwin/security.h +++ b/winsup/cygwin/security.h @@ -245,8 +245,12 @@ extern cygpsid well_known_batch_sid; extern cygpsid well_known_interactive_sid; extern cygpsid well_known_service_sid; extern cygpsid well_known_authenticated_users_sid; +extern cygpsid well_known_this_org_sid; extern cygpsid well_known_system_sid; extern cygpsid well_known_admins_sid; +extern cygpsid mandatory_medium_integrity_sid; +extern cygpsid mandatory_high_integrity_sid; +extern cygpsid mandatory_system_integrity_sid; /* Order must be same as cygpriv in sec_helper.cc. */ enum cygpriv_idx { diff --git a/winsup/cygwin/wincap.cc b/winsup/cygwin/wincap.cc index df6765b7b..8879f9e06 100644 --- a/winsup/cygwin/wincap.cc +++ b/winsup/cygwin/wincap.cc @@ -68,6 +68,7 @@ static NO_COPY wincaps wincap_unknown = { has_fileid_dirinfo:false, has_exclusiveaddruse:false, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_95 = { @@ -127,6 +128,7 @@ static NO_COPY wincaps wincap_95 = { has_fileid_dirinfo:false, has_exclusiveaddruse:false, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_95osr2 = { @@ -186,6 +188,7 @@ static NO_COPY wincaps wincap_95osr2 = { has_fileid_dirinfo:false, has_exclusiveaddruse:false, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_98 = { @@ -245,6 +248,7 @@ static NO_COPY wincaps wincap_98 = { has_fileid_dirinfo:false, has_exclusiveaddruse:false, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_98se = { @@ -304,6 +308,7 @@ static NO_COPY wincaps wincap_98se = { has_fileid_dirinfo:false, has_exclusiveaddruse:false, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_me = { @@ -363,6 +368,7 @@ static NO_COPY wincaps wincap_me = { has_fileid_dirinfo:false, has_exclusiveaddruse:false, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_nt3 = { @@ -422,6 +428,7 @@ static NO_COPY wincaps wincap_nt3 = { has_fileid_dirinfo:false, has_exclusiveaddruse:false, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_nt4 = { @@ -481,6 +488,7 @@ static NO_COPY wincaps wincap_nt4 = { has_fileid_dirinfo:false, has_exclusiveaddruse:false, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_nt4sp4 = { @@ -540,6 +548,7 @@ static NO_COPY wincaps wincap_nt4sp4 = { has_fileid_dirinfo:false, has_exclusiveaddruse:true, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_2000 = { @@ -599,6 +608,7 @@ static NO_COPY wincaps wincap_2000 = { has_fileid_dirinfo:true, has_exclusiveaddruse:true, has_buggy_restart_scan:true, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_xp = { @@ -658,6 +668,7 @@ static NO_COPY wincaps wincap_xp = { has_fileid_dirinfo:true, has_exclusiveaddruse:true, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_2003 = { @@ -717,6 +728,7 @@ static NO_COPY wincaps wincap_2003 = { has_fileid_dirinfo:true, has_exclusiveaddruse:true, has_buggy_restart_scan:false, + has_mandatory_integrity_control:false, }; static NO_COPY wincaps wincap_vista = { @@ -776,6 +788,7 @@ static NO_COPY wincaps wincap_vista = { has_fileid_dirinfo:true, has_exclusiveaddruse:true, has_buggy_restart_scan:false, + has_mandatory_integrity_control:true, }; wincapc wincap __attribute__((section (".cygwin_dll_common"), shared)); diff --git a/winsup/cygwin/wincap.h b/winsup/cygwin/wincap.h index bbd58a60b..63f87422b 100644 --- a/winsup/cygwin/wincap.h +++ b/winsup/cygwin/wincap.h @@ -69,6 +69,7 @@ struct wincaps unsigned has_fileid_dirinfo : 1; unsigned has_exclusiveaddruse : 1; unsigned has_buggy_restart_scan : 1; + unsigned has_mandatory_integrity_control : 1; }; class wincapc @@ -144,6 +145,7 @@ public: bool IMPLEMENT (has_fileid_dirinfo) bool IMPLEMENT (has_exclusiveaddruse) bool IMPLEMENT (has_buggy_restart_scan) + bool IMPLEMENT (has_mandatory_integrity_control) #undef IMPLEMENT };