Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Message-ID: <3C518B53.711B9391@ieee.org> Date: Fri, 25 Jan 2002 11:44:03 -0500 From: "Pierre A. Humblet" X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Corinna Vinschen Subject: Re: security.cc: bug report, question and suggestion References: <3C4EFF65 DOT FF7BA4DE AT ieee DOT org> <20020123194126 DOT H11608 AT cygbert DOT vinschen DOT de> <3C506701 DOT A334DC8A AT ieee DOT org> <20020124215729 DOT J11608 AT cygbert DOT vinschen DOT de> <3C5079FB DOT BD4E6FD2 AT ieee DOT org> <20020125115542 DOT Q11608 AT cygbert DOT vinschen DOT de> <3C51723E DOT 4010F766 AT ieee DOT org> <20020125165851 DOT W11608 AT cygbert DOT vinschen DOT de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Corinna Vinschen wrote: > That sounds weird, though. It doesn't make sense. The DACL > for the token only sets the permissions for accessing the token > and not for accessing other objects. > > Hmm. > > OTOH..., if the process can't access the token it doesn't know about > it's own permissions. But why should only accessing a registry key > be affected and not accessing files?!? I agree it doesn't make sense and it's all Microsoft's doing... By the way, do you know why LookupAccountSid() returns different values when the sid is impersonated and when it isn't. Like: In impersonated token created in a process launched by Phumblet /******************* Token User */ PHumblet WIRELESS SidTypeUser <==== ????? S-1-5-21-2127391503-1594901184-99485923-1004 <==== impersonated sid the (account) name PHumblet doesn't match the sid's username here. It would if the process was launched directly by the user (instead of being impersonated). > > The latter call is the one I added to the DuplicateTokenEx() call > to create this sort of SA with five SIDs, the current user, the > impersonated user (additional SID parameter), admins, system and > creator_owner. What you do is essentially the same as what I tried, except you put the sa, sd and dacl in a contiguous memory buffer. My code (which also didn't have any effects) was using pointers from sa to sd and from sd to the dacl (thus spread in 3 different memory blocks). > And you say that this doesn't help at all? Hmm, I will have to > debug that further. SIGH! Instead of debugging DuplicateTokenEx() it may be simpler (but less efficient) to set the sd DACL in seteuid(), after the call to ImpersonateLoggedOnUser(). That's essentially what my call is doing when NULLing the DACL (see previous mail). It would also take care of the subauthentication case. I haven't looked at that at all. > > Could you send your minimal testcase, please? Yes, but perhaps not before Monday. Pierre -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/