Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-Id: <3.0.5.32.20020119190251.007ded90@pop.ne.mediaone.net>
X-Sender: phumblet AT pop DOT ne DOT mediaone DOT net (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sat, 19 Jan 2002 19:02:51 -0500
To: Corinna Vinschen <cygwin AT cygwin DOT com>
From: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
Subject: Re: security.cc: bug report, question and suggestion
In-Reply-To: <20020120003335.W11608@cygbert.vinschen.de>
References: <3 DOT 0 DOT 5 DOT 32 DOT 20020119165218 DOT 007e3720 AT pop DOT ne DOT mediaone DOT net>
 <3 DOT 0 DOT 5 DOT 32 DOT 20020118194603 DOT 007db100 AT pop DOT ne DOT mediaone DOT net>
 <3 DOT 0 DOT 5 DOT 32 DOT 20011230112615 DOT 00813e60 AT pop DOT ne DOT mediaone DOT net>
 <3 DOT 0 DOT 5 DOT 32 DOT 20011229152301 DOT 0083a1f0 AT pop DOT ne DOT mediaone DOT net>
 <3 DOT 0 DOT 5 DOT 32 DOT 20011229152301 DOT 0083a1f0 AT pop DOT ne DOT mediaone DOT net>
 <3 DOT 0 DOT 5 DOT 32 DOT 20011230112615 DOT 00813e60 AT pop DOT ne DOT mediaone DOT net>
 <3 DOT 0 DOT 5 DOT 32 DOT 20020118194603 DOT 007db100 AT pop DOT ne DOT mediaone DOT net>
 <3 DOT 0 DOT 5 DOT 32 DOT 20020119165218 DOT 007e3720 AT pop DOT ne DOT mediaone DOT net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

At 12:33 AM 1/20/02 +0100, you wrote:
>On Sat, Jan 19, 2002 at 04:52:18PM -0500, Pierre A. Humblet wrote:

>The problem is that in contrast to POSIX the PrimaryGroup is
>restricted to the Groups already listed in the access token
>of the process.  So it will fail if the primary group is set
>only for a later impersonation.  But that shouldn't matter
>then, IMO.

OK, that's what I meant in the first paragraph. I had in mind the 
case where the gid is not in the existing Groups. It will become
effective at the next setuid().

>I'm not quite sure if I understand.  If the setgid() is made
>while a impersonation is active, the setgid() should affect
>the impersonation token.  

No, no, it changes the process token.  syscalls.cc:
 if (!OpenProcessToken (GetCurrentProcess (),

>> Wouldn't it be safer to always rely on myself->gid to set ACLs
>> and only use the PrimaryToken to verify if an existing token 
>> can be reused?
>
>Good question.  However, I don't think it's unsafe to change
>the primary group.  If it was successful, further securable
>objects are created using the correct primary group.  If it
>wasn't successful, nothing has changed, nothing got worse.

Yes, but it's undetermined (except if the caller really knows
the Groups), which isn't so good. By using myself->gid you could 
change the primary group on securable objects to what it should be.
BTW, does the primary group need to be in the Groups there too?

Pierre


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/