From c3a0492e168ea29b9a2c9d9469af4f151141c571 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Thu, 9 Nov 2006 15:24:34 +0000 Subject: [PATCH] * autoload.cc (EqualPrefixSid): Define. * security.cc (create_token): Drop grps_buf. Use alloca instead. Only add the MIC SID to the TOKEN_GROUPS list for the NtCreateToken call. If the subauthentication token exists, use its MIC SID. Set SID Attributes for the MIC SID to 0. --- winsup/cygwin/ChangeLog | 8 ++++++ winsup/cygwin/autoload.cc | 1 + winsup/cygwin/security.cc | 52 +++++++++++++++++++++++++++++---------- 3 files changed, 48 insertions(+), 13 deletions(-) diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index ef85b78b8..1f37bb7a9 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,11 @@ +2006-11-09 Corinna Vinschen + + * autoload.cc (EqualPrefixSid): Define. + * security.cc (create_token): Drop grps_buf. Use alloca instead. + Only add the MIC SID to the TOKEN_GROUPS list for the NtCreateToken + call. If the subauthentication token exists, use its MIC SID. + Set SID Attributes for the MIC SID to 0. + 2006-11-08 Corinna Vinschen * sec_helper.cc (sid_auth): Remove. diff --git a/winsup/cygwin/autoload.cc b/winsup/cygwin/autoload.cc index 738d832e2..1e7fb783a 100644 --- a/winsup/cygwin/autoload.cc +++ b/winsup/cygwin/autoload.cc @@ -312,6 +312,7 @@ LoadDLLfuncEx (CryptReleaseContext, 8, advapi32, 1) LoadDLLfunc (DeregisterEventSource, 4, advapi32) LoadDLLfunc (DuplicateToken, 12, advapi32) LoadDLLfuncEx (DuplicateTokenEx, 24, advapi32, 1) +LoadDLLfunc (EqualPrefixSid, 8, advapi32) LoadDLLfunc (EqualSid, 8, advapi32) LoadDLLfunc (FindFirstFreeAce, 8, advapi32) LoadDLLfunc (GetAce, 12, advapi32) diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index 4ecede8a3..96d903f79 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -934,32 +934,58 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw, else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid, pw, my_tok_gsids, auth_luid, auth_pos)) goto out; - if (wincap.has_mandatory_integrity_control ()) - { - if (usersid == well_known_system_sid) - tmp_gsids += mandatory_system_integrity_sid; - else if (tmp_gsids.contains (well_known_admins_sid)) - tmp_gsids += mandatory_high_integrity_sid; - else - tmp_gsids += mandatory_medium_integrity_sid; - } /* Primary group. */ pgrp.PrimaryGroup = new_groups.pgsid; /* Create a TOKEN_GROUPS list from the above retrieved list of sids. */ - char grps_buf[sizeof (ULONG) + tmp_gsids.count * sizeof (SID_AND_ATTRIBUTES)]; - new_tok_gsids = (PTOKEN_GROUPS) grps_buf; + new_tok_gsids = (PTOKEN_GROUPS) + alloca (sizeof (ULONG) + (tmp_gsids.count + 1 ) + * sizeof (SID_AND_ATTRIBUTES)); new_tok_gsids->GroupCount = tmp_gsids.count; for (DWORD i = 0; i < new_tok_gsids->GroupCount; ++i) { new_tok_gsids->Groups[i].Sid = tmp_gsids.sids[i]; - new_tok_gsids->Groups[i].Attributes = SE_GROUP_MANDATORY | - SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + new_tok_gsids->Groups[i].Attributes = SE_GROUP_MANDATORY + | SE_GROUP_ENABLED_BY_DEFAULT + | SE_GROUP_ENABLED; } if (auth_pos >= 0) new_tok_gsids->Groups[auth_pos].Attributes |= SE_GROUP_LOGON_ID; + /* On systems supporting Mandatory Integrity Control, add a MIC SID. */ + if (wincap.has_mandatory_integrity_control ()) + { + bool add_mic_sid = true; + new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes = 0; + + /* The subauth token usually contains a MIC SID. Copy it into our + group SID list. */ + if (my_tok_gsids) + for (DWORD i = 0; i < my_tok_gsids->GroupCount; ++i) + if (EqualPrefixSid (mandatory_medium_integrity_sid, + my_tok_gsids->Groups[i].Sid)) + { + new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid + = my_tok_gsids->Groups[i].Sid; + add_mic_sid = false; + break; + } + /* If no MIC SID was available add a matching one for the account type. */ + if (add_mic_sid) + { + if (usersid == well_known_system_sid) + new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid + = mandatory_system_integrity_sid; + else if (tmp_gsids.contains (well_known_admins_sid)) + new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid + = mandatory_high_integrity_sid; + else + new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid + = mandatory_medium_integrity_sid; + } + } + /* Retrieve list of privileges of that user. */ if (!privs && !(privs = get_priv_list (lsa, usersid, tmp_gsids))) goto out;