delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2002/01/25/11:45:03

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <3C518B53.711B9391@ieee.org>
Date: Fri, 25 Jan 2002 11:44:03 -0500
From: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
X-Mailer: Mozilla 4.73 [en] (WinNT; U)
X-Accept-Language: en,pdf
MIME-Version: 1.0
To: Corinna Vinschen <cygwin AT cygwin DOT com>
Subject: Re: security.cc: bug report, question and suggestion
References: <3C4EFF65 DOT FF7BA4DE AT ieee DOT org> <20020123194126 DOT H11608 AT cygbert DOT vinschen DOT de> <3C506701 DOT A334DC8A AT ieee DOT org> <20020124215729 DOT J11608 AT cygbert DOT vinschen DOT de> <3C5079FB DOT BD4E6FD2 AT ieee DOT org> <20020125115542 DOT Q11608 AT cygbert DOT vinschen DOT de> <3C51723E DOT 4010F766 AT ieee DOT org> <20020125165851 DOT W11608 AT cygbert DOT vinschen DOT de> 

Corinna Vinschen wrote:

> That sounds weird, though.  It doesn't make sense.  The DACL
> for the token only sets the permissions for accessing the token
> and not for accessing other objects.
> 
> Hmm.
> 
> OTOH..., if the process can't access the token it doesn't know about
> it's own permissions.  But why should only accessing a registry key
> be affected and not accessing files?!?

I agree it doesn't make sense and it's all Microsoft's doing...

By the way, do you know why LookupAccountSid() returns different
values when the sid is impersonated and when it isn't. Like:

In impersonated token created in a process launched by Phumblet
/******************* Token User */
PHumblet WIRELESS SidTypeUser                   <==== ?????
S-1-5-21-2127391503-1594901184-99485923-1004    <==== impersonated sid

the (account) name PHumblet doesn't match the sid's username here.
It would if the process was launched directly by the user
(instead of being impersonated). 
> 
> The latter call is the one I added to the DuplicateTokenEx() call
> to create this sort of SA with five SIDs, the current user, the
> impersonated user (additional SID parameter), admins, system and
> creator_owner.

What you do is essentially the same as what I tried, except you
put the sa, sd and dacl in a contiguous memory buffer. My code
(which also didn't have any effects) was using pointers from sa to sd 
and from sd to the dacl (thus spread in 3 different memory blocks).

> And you say that this doesn't help at all?  Hmm, I will have to
> debug that further.  SIGH!

Instead of debugging DuplicateTokenEx() it may be simpler (but
less efficient) to set the sd DACL in seteuid(), after the
call to ImpersonateLoggedOnUser(). That's essentially what
my call is doing when NULLing the DACL (see previous mail).
It would also take care of the subauthentication case.
I haven't looked at that at all.

> 
> Could you send your minimal testcase, please?

Yes, but perhaps not before Monday.

Pierre

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019