drew
/
acadia-newlib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

2003-09-15 Pierre Humblet <pierre.humblet@ieee.org> 

* security.h (__sec_user): Add "access2" argument.
	(sec_acl): Add "original" and "access2" arguments.
	(sec_user): Add "sid2" and "access2" argument. Remove dependence on
	allow_ntsec.
	(sec_user_nih): Ditto.
	* sec_helper.cc (__sec_user): Add "has_security" test.
	Call sec_acl with new arguments, letting it handle original_sid.
	(sec_acl): Add "original" and "access2" arguments. Handle original_sid
	depending on flag but avoiding duplicates. Use "access2" for sid2.
	* pinfo.cc (pinfo::init): Use security attributes created by sec_user
	when creating the mapping.
	* security.cc (create_token): Adjust arguments in call to sec_acl.
	Call sec_user instead of __sec_user.
	* syscall.cc (seteuid32):  Adjust arguments in call to sec_acl. Remove
	now unnecessary test. Remove useless conversions to psid.
	* dcrt0.cc (dll_crt0_1): Call cygsid::init before pinfo_init.
This commit is contained in:
Pierre Humblet 2003-09-16 00:45:50 +00:00
parent a9993197f2
commit c61ada9bd3
7 changed files with 52 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
winsup/cygwin/ChangeLog
View File

@ -1,3 +1,22 @@
2003-09-15 Pierre Humblet <pierre.humblet@ieee.org>
* security.h (__sec_user): Add "access2" argument.
(sec_acl): Add "original" and "access2" arguments.
(sec_user): Add "sid2" and "access2" argument. Remove dependence on
allow_ntsec.
(sec_user_nih): Ditto.
* sec_helper.cc (__sec_user): Add "has_security" test.
Call sec_acl with new arguments, letting it handle original_sid.
(sec_acl): Add "original" and "access2" arguments. Handle original_sid
depending on flag but avoiding duplicates. Use "access2" for sid2.
* pinfo.cc (pinfo::init): Use security attributes created by sec_user
when creating the mapping.
* security.cc (create_token): Adjust arguments in call to sec_acl.
Call sec_user instead of __sec_user.
* syscall.cc (seteuid32): Adjust arguments in call to sec_acl. Remove
now unnecessary test. Remove useless conversions to psid.
* dcrt0.cc (dll_crt0_1): Call cygsid::init before pinfo_init.
2003-09-13 Christopher Faylor <cgf@redhat.com> 2003-09-13 Christopher Faylor <cgf@redhat.com>
* Makefile.in: Make malloc_wrapper -fomit-frame-pointer. * Makefile.in: Make malloc_wrapper -fomit-frame-pointer.

6
winsup/cygwin/dcrt0.cc
View File

@ -678,6 +678,9 @@ dll_crt0_1 ()
} }
#endif #endif
/* Init global well known SID objects */
cygsid::init ();
/* Initialize our process table entry. */ /* Initialize our process table entry. */
pinfo_init (envp, envc); pinfo_init (envp, envc);
@ -687,9 +690,6 @@ dll_crt0_1 ()
/* Allocate cygheap->fdtab */ /* Allocate cygheap->fdtab */
dtable_init (); dtable_init ();
/* Init global well known SID objects */
cygsid::init ();
/* Initialize user info. */ /* Initialize user info. */
uinfo_init (); uinfo_init ();

6
winsup/cygwin/pinfo.cc
View File

@ -164,7 +164,11 @@ pinfo::init (pid_t n, DWORD flag, HANDLE in_h)
} }
else else
{ {
h = CreateFileMapping (INVALID_HANDLE_VALUE, &sec_all_nih, char sa_buf[1024];
PSECURITY_ATTRIBUTES sec_attribs =
sec_user_nih (sa_buf, cygheap->user.sid(), well_known_world_sid,
FILE_MAP_READ | FILE_MAP_WRITE); /* FIXME */
h = CreateFileMapping (INVALID_HANDLE_VALUE, sec_attribs,
PAGE_READWRITE, 0, mapsize, mapname); PAGE_READWRITE, 0, mapsize, mapname);
created = h && GetLastError () != ERROR_ALREADY_EXISTS; created = h && GetLastError () != ERROR_ALREADY_EXISTS;
} }

28
winsup/cygwin/sec_helper.cc
View File

@ -372,23 +372,29 @@ get_null_sd ()
} }
BOOL BOOL
sec_acl (PACL acl, BOOL admins, PSID sid1, PSID sid2) sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD access2)
{ {
size_t acl_len = MAX_DACL_LEN(5); size_t acl_len = MAX_DACL_LEN(5);
cygpsid psid;
if (!InitializeAcl (acl, acl_len, ACL_REVISION)) if (!InitializeAcl (acl, acl_len, ACL_REVISION))
{ {
debug_printf ("InitializeAcl %E"); debug_printf ("InitializeAcl %E");
return FALSE; return FALSE;
} }
if (sid2)
if (!AddAccessAllowedAce (acl, ACL_REVISION,
GENERIC_ALL, sid2))
debug_printf ("AddAccessAllowedAce(sid2) %E");
if (sid1) if (sid1)
if (!AddAccessAllowedAce (acl, ACL_REVISION, if (!AddAccessAllowedAce (acl, ACL_REVISION,
GENERIC_ALL, sid1)) GENERIC_ALL, sid1))
debug_printf ("AddAccessAllowedAce(sid1) %E"); debug_printf ("AddAccessAllowedAce(sid1) %E");
if (original && (psid = cygheap->user.orig_sid ())
&& psid != sid1 && psid != well_known_system_sid)
if (!AddAccessAllowedAce (acl, ACL_REVISION,
GENERIC_ALL, psid))
debug_printf ("AddAccessAllowedAce(original) %E");
if (sid2)
if (!AddAccessAllowedAce (acl, ACL_REVISION,
access2, sid2))
debug_printf ("AddAccessAllowedAce(sid2) %E");
if (admins) if (admins)
if (!AddAccessAllowedAce (acl, ACL_REVISION, if (!AddAccessAllowedAce (acl, ACL_REVISION,
GENERIC_ALL, well_known_admins_sid)) GENERIC_ALL, well_known_admins_sid))
@ -396,26 +402,18 @@ sec_acl (PACL acl, BOOL admins, PSID sid1, PSID sid2)
if (!AddAccessAllowedAce (acl, ACL_REVISION, if (!AddAccessAllowedAce (acl, ACL_REVISION,
GENERIC_ALL, well_known_system_sid)) GENERIC_ALL, well_known_system_sid))
debug_printf ("AddAccessAllowedAce(system) %E"); debug_printf ("AddAccessAllowedAce(system) %E");
#if 0 /* Does not seem to help */
if (!AddAccessAllowedAce (acl, ACL_REVISION,
GENERIC_ALL, well_known_creator_owner_sid))
debug_printf ("AddAccessAllowedAce(creator_owner) %E");
#endif
return TRUE; return TRUE;
} }
PSECURITY_ATTRIBUTES __stdcall PSECURITY_ATTRIBUTES __stdcall
__sec_user (PVOID sa_buf, PSID sid2, BOOL inherit) __sec_user (PVOID sa_buf, PSID sid1, PSID sid2, DWORD access2, BOOL inherit)
{ {
PSECURITY_ATTRIBUTES psa = (PSECURITY_ATTRIBUTES) sa_buf; PSECURITY_ATTRIBUTES psa = (PSECURITY_ATTRIBUTES) sa_buf;
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR)
((char *) sa_buf + sizeof (*psa)); ((char *) sa_buf + sizeof (*psa));
PACL acl = (PACL) ((char *) sa_buf + sizeof (*psa) + sizeof (*psd)); PACL acl = (PACL) ((char *) sa_buf + sizeof (*psa) + sizeof (*psd));
cygsid sid; if (!wincap.has_security () || !sec_acl (acl, true, true, sid1, sid2, access2))
if (!(sid = cygheap->user.orig_sid ()) ||
(!sec_acl (acl, TRUE, sid, sid2)))
return inherit ? &sec_none : &sec_none_nih; return inherit ? &sec_none : &sec_none_nih;
if (!InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION)) if (!InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION))

4
winsup/cygwin/security.cc
View File

@ -906,7 +906,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
goto out; goto out;
/* Create default dacl. */ /* Create default dacl. */
if (!sec_acl ((PACL) acl_buf, FALSE, if (!sec_acl ((PACL) acl_buf, false, false,
tmp_gsids.contains (well_known_admins_sid) ? tmp_gsids.contains (well_known_admins_sid) ?
well_known_admins_sid : usersid)) well_known_admins_sid : usersid))
goto out; goto out;
@ -926,7 +926,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
else else
{ {
/* Set security descriptor and primary group */ /* Set security descriptor and primary group */
psa = __sec_user (sa_buf, usersid, TRUE); psa = sec_user (sa_buf, usersid);
if (psa->lpSecurityDescriptor && if (psa->lpSecurityDescriptor &&
!SetSecurityDescriptorGroup ((PSECURITY_DESCRIPTOR) !SetSecurityDescriptorGroup ((PSECURITY_DESCRIPTOR)
psa->lpSecurityDescriptor, psa->lpSecurityDescriptor,

14
winsup/cygwin/security.h
View File

@ -256,9 +256,11 @@ SECURITY_DESCRIPTOR *__stdcall get_null_sd (void);
/* Various types of security attributes for use in Create* functions. */ /* Various types of security attributes for use in Create* functions. */
extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih; extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih;
extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid2, BOOL inherit) extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid1, PSID sid2,
DWORD access2, BOOL inherit)
__attribute__ ((regparm (3))); __attribute__ ((regparm (3)));
extern BOOL sec_acl (PACL acl, BOOL admins, PSID sid1 = NO_SID, PSID sid2 = NO_SID); extern BOOL sec_acl (PACL acl, bool original, bool admins, PSID sid1 = NO_SID,
PSID sid2 = NO_SID, DWORD access2 = 0);
int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len); int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len);
BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len); BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len);
@ -266,14 +268,14 @@ PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret); PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret);
extern inline SECURITY_ATTRIBUTES * extern inline SECURITY_ATTRIBUTES *
sec_user_nih (char sa_buf[], PSID sid = NULL) sec_user_nih (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0)
{ {
return allow_ntsec ? __sec_user (sa_buf, sid, FALSE) : &sec_none_nih; return __sec_user (sa_buf, sid1, sid2, access2, FALSE);
} }
extern inline SECURITY_ATTRIBUTES * extern inline SECURITY_ATTRIBUTES *
sec_user (char sa_buf[], PSID sid = NULL) sec_user (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0)
{ {
return allow_ntsec ? __sec_user (sa_buf, sid, TRUE) : &sec_none; return __sec_user (sa_buf, sid1, sid2, access2, TRUE);
} }
#endif /*_SECURITY_H*/ #endif /*_SECURITY_H*/

7
winsup/cygwin/syscalls.cc
View File

@ -2076,7 +2076,6 @@ seteuid32 (__uid32_t uid)
user_groups &groups = cygheap->user.groups; user_groups &groups = cygheap->user.groups;
HANDLE ptok, new_token = INVALID_HANDLE_VALUE; HANDLE ptok, new_token = INVALID_HANDLE_VALUE;
struct passwd * pw_new; struct passwd * pw_new;
cygpsid origpsid, psid2 (NO_SID);
BOOL token_is_internal, issamesid; BOOL token_is_internal, issamesid;
pw_new = internal_getpwuid (uid); pw_new = internal_getpwuid (uid);
@ -2121,9 +2120,7 @@ seteuid32 (__uid32_t uid)
if (cygheap->user.current_token != new_token) if (cygheap->user.current_token != new_token)
{ {
char dacl_buf[MAX_DACL_LEN (5)]; char dacl_buf[MAX_DACL_LEN (5)];
if (usersid != (origpsid = cygheap->user.orig_sid ())) if (sec_acl ((PACL) dacl_buf, true, false, usersid))
psid2 = usersid;
if (sec_acl ((PACL) dacl_buf, FALSE, origpsid, psid2))
{ {
TOKEN_DEFAULT_DACL tdacl; TOKEN_DEFAULT_DACL tdacl;
tdacl.DefaultDacl = (PACL) dacl_buf; tdacl.DefaultDacl = (PACL) dacl_buf;
@ -2171,7 +2168,7 @@ seteuid32 (__uid32_t uid)
} }
CloseHandle (ptok); CloseHandle (ptok);
issamesid = (usersid == (psid2 = cygheap->user.sid ())); issamesid = (usersid == cygheap->user.sid ());
cygheap->user.set_sid (usersid); cygheap->user.set_sid (usersid);
cygheap->user.current_token = new_token == ptok ? INVALID_HANDLE_VALUE cygheap->user.current_token = new_token == ptok ? INVALID_HANDLE_VALUE
: new_token; : new_token;