Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Sat, 19 Jan 2002 17:06:21 +0100
From: Corinna Vinschen <cygwin AT cygwin DOT com>
To: cygwin <cygwin AT cygwin DOT com>
Cc: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
Subject: Re: security.cc: bug report, question and suggestion
Message-ID: <20020119170621.R11608@cygbert.vinschen.de>
Mail-Followup-To: cygwin <cygwin AT cygwin DOT com>,
	"Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
References: <3 DOT 0 DOT 5 DOT 32 DOT 20011230112615 DOT 00813e60 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20011229152301 DOT 0083a1f0 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20011229152301 DOT 0083a1f0 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20011230112615 DOT 00813e60 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20020118194603 DOT 007db100 AT pop DOT ne DOT mediaone DOT net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3.0.5.32.20020118194603.007db100@pop.ne.mediaone.net>
User-Agent: Mutt/1.3.22.1i

On Fri, Jan 18, 2002 at 07:46:03PM -0500, Pierre A. Humblet wrote:
> The real problem is that following setuid(), the ACL (not default 
> ACL) of the impersonation token (which is inherited from the
> default ACL of the process token) makes the impersonation
> token non-accessible by its user
> (normally the user has full access to its token,
> and it seems that setuid() should preserve that).

Hmm, noticed.  That shouldn't be too hard to add.

> 1) If setuid(gid) with a gid that doesn't exist, the
> system silently sets the gid to "administrators". That
> is not fail safe! 
> The problem is that getgrgid() never fails. It should
> have a flag to tell it whether it should default or not. 
> [The default is fine when specifying a SET_ACCESS ACE]

Yes, that's true.  That's the typical fallback for unmaintained
passwd and group files.  We should probably add a function for
internal access which never returns the fallback.

> 2) my_token isn't closed in create_token()

Thanks for the hint!  I applied a patch.

> 3) Why is it necessary to set the PrimaryGroup in the
> process token in setegid()? (That can fail silently).
> Is that field ever read? I thought that PrimaryGroup 
> only needs to be set in impersonation tokens, so that 
> seteuid() can decide if an existing token can be
> reused.

No, the primary group is used also to create object DACLs.
When setting the PrimaryGroup, even native Windows child
processes create file with that group as creator group
instead of the default group (e.g. always "None", 513 on
standalone machines).

> 4) If in "cygrunsrv -u user ..."  the Cygwin and Windows 
> user names differ, then the process will have the wrong
> uid.
> 
> Entry in passwd (note Cygwin name != Windows name)
> exim:unused_by_nt/2000/xp:1002:1005:daemon,U-PHumblet\Mail,S-1-5-21-21273915
> 03-1594901184-99485923-1002:/h
> ome/Mail:/bin/bash
> 
> /> cygrunsrv -I test -u mail -e CYGWIN=ntsec -p /a.exe
> Enter password of user `.\mail': 
> Reenter, please: 
> /> cygrunsrv -S test
> /> head /var/log/test.log
> CYGWIN = ntsec USERNAME = UNDEF UID = 500 GID = 513 PID = 619
> <==INCORRECT UID/GID

Operator error.  -u expects the Cygwin user name, not the Windows
user name (it's a Cygwin application...).  The wrong UID is caused
by your aforementioned observation that the getpwuid/getgrgid 
functions always return a default value :-(

Hum, perhaps I should also change the passwd/group access functions
never to fallback if `ntsec' is on...

Thanks for tracking all this down.  I will change the token's
ACL to have TOKEN_ALL_ACCESS for the user (perhaps tomorrow) and
then I'd like to ask you to test your stuff again.

Oh, btw., you're perhaps interested to contribute to Cygwin code?
You're one of the few people actually getting wet feet in my ntsec
code. :-)  I would appreciate if somebody would put hands on that
stuff, too.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/