Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Message-Id: <3.0.5.32.20020119165218.007e3720@pop.ne.mediaone.net> X-Sender: phumblet AT pop DOT ne DOT mediaone DOT net (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sat, 19 Jan 2002 16:52:18 -0500 To: Corinna Vinschen , cygwin From: "Pierre A. Humblet" Subject: Re: security.cc: bug report, question and suggestion In-Reply-To: <20020119170621.R11608@cygbert.vinschen.de> References: <3 DOT 0 DOT 5 DOT 32 DOT 20020118194603 DOT 007db100 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20011230112615 DOT 00813e60 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20011229152301 DOT 0083a1f0 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20011229152301 DOT 0083a1f0 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20011230112615 DOT 00813e60 AT pop DOT ne DOT mediaone DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20020118194603 DOT 007db100 AT pop DOT ne DOT mediaone DOT net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" At 05:06 PM 1/19/02 +0100, Corinna Vinschen wrote: >On Fri, Jan 18, 2002 at 07:46:03PM -0500, Pierre A. Humblet wrote: > >> 3) Why is it necessary to set the PrimaryGroup in the >> process token in setegid()? > >No, the primary group is used also to create object DACLs. >When setting the PrimaryGroup, even native Windows child >processes create file with that group as creator group >instead of the default group (e.g. always "None", 513 on >standalone machines). yes, but in Cygwin the setgid() is not really effective until the next setuid(). By that time there will be a new token anyway. What bothers me is that the call may fail silently (e.g. if setgid() is called while impersonation is in effect, access to the process token would probably be disallowed). Even if the call succeeds, won't Windows use the thread (impersonation) token rather than the process token when creating DACLs? Wouldn't it be safer to always rely on myself->gid to set ACLs and only use the PrimaryToken to verify if an existing token can be reused? >> 4) If in "cygrunsrv -u user ..." the Cygwin and Windows >> user names differ, then the process will have the wrong >> uid. >> >> Entry in passwd (note Cygwin name != Windows name) >> exim:unused_by_nt/2000/xp:1002:1005:daemon,U-PHumblet\Mail,S-1-5-21-21273915 >> 03-1594901184-99485923-1002:/h >> ome/Mail:/bin/bash >> >> /> cygrunsrv -I test -u mail -e CYGWIN=ntsec -p /a.exe >> Enter password of user `.\mail': >> Reenter, please: >> /> cygrunsrv -S test >> /> head /var/log/test.log >> CYGWIN = ntsec USERNAME = UNDEF UID = 500 GID = 513 PID = 619 >> <==INCORRECT UID/GID > >Operator error. -u expects the Cygwin user name, not the Windows Hmm, I can't check until Monday but I distinctly remember that cygrunsrv is smart. If I call cygrunsrv -u exim (in example above) it will prompt for .\mail's password. Both usages result in the wrong uid (will check). Something else: if the path given to cygrunsrv is a shell and the shell calls a program, the program has the correct uid. >Thanks for tracking all this down. I will change the token's >ACL to have TOKEN_ALL_ACCESS for the user (perhaps tomorrow) and >then I'd like to ask you to test your stuff again. Any time, security is a great addition to Cygwin. >Oh, btw., you're perhaps interested to contribute to Cygwin code? Anything specific in mind? I don't have time to start big projects but I am happy to help, the more so when bugs affect me :) Pierre -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/