Mail Archives: cygwin/2002/02/10/14:34:48

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2002/02/10/14:34:48

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sources.redhat.com/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Message-Id: <3.0.5.32.20020210143455.007f2100@pop.ne.mediaone.net>

X-Sender: phumblet AT pop DOT ne DOT mediaone DOT net (Unverified)

X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)

Date: Sun, 10 Feb 2002 14:34:55 -0500

To: Corinna Vinschen <cygwin AT cygwin DOT com>

From: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>

Subject: More security issues

Mime-Version: 1.0

Hi Corinna,

I have some free time and easy access to an NT
so I came back to security issues.

As you recall, in setegid(), setting the PrimaryGroup
in the process token isn't reliable and was #if'ed out.
Consequently non-cygwin subprocesses may create objects
with the wrong primary group.

I tried to fix that by setting the primary group based on  getegid()
in the security descriptor created in sec_user(). To my surprise
that didn't have any effect. In fact sec_user() doesn't seem to
have much effect at all! It creates an ACL with 4 or 5 ACE's, but
my token printing program only shows two ACE's in the process
tokens: admins and system. I wonder what the sa in CreateProcess
really does... The only thing that has an effect is the Inherit flag.

In the course of debugging I also noticed that the sid2 passed
to sec_user() from just before CreateProcessAsUser() is useless.
It is actually equal to the sid that sec_user() gets from 
cygheap->user.sid ()  [cygheap->user is set in seteuid()]

All of this effort was motivated by weird access issues to the 
impersonation token. I can fix that by opening the thread token
security descriptor after ImpersonateLoggedOnUser() in seteuid()
and changing the ACL (using the ACL from sec_user(), that works!). 
Unfortunately the work must be redone each time the sequence 
RevertToSelf(), ..., ImpersonateLoggedOnUser() occurs. 
It would be much better if we could get the sd to have an effect
in DuplicateTokenEx() [in create_token(), security.cc].
That may be related to what I observed above.
Any ideas?

Back to setegid(), another safe way would be to 
RevertToSelf(),..,Impersonate..() if currently impersonated.
That's because there is also a RevertToSelf() before CreateProcessAsUser()
Why is there one, by the way? Microsoft seems to suggest working in the
security context of the new user. It says it's useful if the executable 
is only executable by the new user.
  
Pierre
P.S.: please cc me directly. 


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Message-Id:	<3.0.5.32.20020210143455.007f2100@pop.ne.mediaone.net>
X-Sender:	phumblet AT pop DOT ne DOT mediaone DOT net (Unverified)
X-Mailer:	QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date:	Sun, 10 Feb 2002 14:34:55 -0500
To:	Corinna Vinschen <cygwin AT cygwin DOT com>
From:	"Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
Subject:	More security issues
Mime-Version:	1.0