Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Message-Id: <3.0.5.32.20020210143455.007f2100@pop.ne.mediaone.net> X-Sender: phumblet AT pop DOT ne DOT mediaone DOT net (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sun, 10 Feb 2002 14:34:55 -0500 To: Corinna Vinschen From: "Pierre A. Humblet" Subject: More security issues Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Hi Corinna, I have some free time and easy access to an NT so I came back to security issues. As you recall, in setegid(), setting the PrimaryGroup in the process token isn't reliable and was #if'ed out. Consequently non-cygwin subprocesses may create objects with the wrong primary group. I tried to fix that by setting the primary group based on getegid() in the security descriptor created in sec_user(). To my surprise that didn't have any effect. In fact sec_user() doesn't seem to have much effect at all! It creates an ACL with 4 or 5 ACE's, but my token printing program only shows two ACE's in the process tokens: admins and system. I wonder what the sa in CreateProcess really does... The only thing that has an effect is the Inherit flag. In the course of debugging I also noticed that the sid2 passed to sec_user() from just before CreateProcessAsUser() is useless. It is actually equal to the sid that sec_user() gets from cygheap->user.sid () [cygheap->user is set in seteuid()] All of this effort was motivated by weird access issues to the impersonation token. I can fix that by opening the thread token security descriptor after ImpersonateLoggedOnUser() in seteuid() and changing the ACL (using the ACL from sec_user(), that works!). Unfortunately the work must be redone each time the sequence RevertToSelf(), ..., ImpersonateLoggedOnUser() occurs. It would be much better if we could get the sd to have an effect in DuplicateTokenEx() [in create_token(), security.cc]. That may be related to what I observed above. Any ideas? Back to setegid(), another safe way would be to RevertToSelf(),..,Impersonate..() if currently impersonated. That's because there is also a RevertToSelf() before CreateProcessAsUser() Why is there one, by the way? Microsoft seems to suggest working in the security context of the new user. It says it's useful if the executable is only executable by the new user. Pierre P.S.: please cc me directly. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/