Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Mon, 28 Jan 2002 10:40:04 +0100
From: Corinna Vinschen <cygwin AT cygwin DOT com>
To: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
Cc: cygwin <cygwin AT cygwin DOT com>
Subject: Re: security.cc: bug report, question and suggestion
Message-ID: <20020128104004.A11608@cygbert.vinschen.de>
Mail-Followup-To: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>,
	cygwin <cygwin AT cygwin DOT com>
References: <3C4EFF65 DOT FF7BA4DE AT ieee DOT org> <20020123194126 DOT H11608 AT cygbert DOT vinschen DOT de> <3C506701 DOT A334DC8A AT ieee DOT org> <20020124215729 DOT J11608 AT cygbert DOT vinschen DOT de> <3C5079FB DOT BD4E6FD2 AT ieee DOT org> <20020125115542 DOT Q11608 AT cygbert DOT vinschen DOT de> <3C51723E DOT 4010F766 AT ieee DOT org> <20020125165851 DOT W11608 AT cygbert DOT vinschen DOT de> <3C518B53 DOT 711B9391 AT ieee DOT org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3C518B53.711B9391@ieee.org>
User-Agent: Mutt/1.3.22.1i

On Fri, Jan 25, 2002 at 11:44:03AM -0500, Pierre A. Humblet wrote:
> By the way, do you know why LookupAccountSid() returns different
> values when the sid is impersonated and when it isn't. Like:
> 
> In impersonated token created in a process launched by Phumblet
> /******************* Token User */
> PHumblet WIRELESS SidTypeUser                   <==== ?????
> S-1-5-21-2127391503-1594901184-99485923-1004    <==== impersonated sid
> 
> the (account) name PHumblet doesn't match the sid's username here.
> It would if the process was launched directly by the user
> (instead of being impersonated). 

I wrote about that problem already in earlier postings on this
list.  No, I don't know why that happens.  I assume it's due
to the fact that the created token is still running in the
logon session of the calling user.  The NT calls GetUserName()
and LookupAccountSid() seem to go a shortcut instead of really
looking for the values :-(
Actually it only happens in the impersonated and subsequent
processes.  Looking from the outside everything's ok, even in
the NT task manager.
I tried to get a description or something on the microsoft
mailing lists but I got no answer.

> Instead of debugging DuplicateTokenEx() it may be simpler (but
> less efficient) to set the sd DACL in seteuid(), after the
> call to ImpersonateLoggedOnUser(). That's essentially what
> my call is doing when NULLing the DACL (see previous mail).

You could test using the sec_user call at that point  before
I do it.  You have the testcase trying to access the registry
keys handy.

> It would also take care of the subauthentication case.
> I haven't looked at that at all.

It doesn't matter.  It works on W2K only.  That's the reason
I never announced it here but only on the cygwin-develoepers
list.  

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/