Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Wed, 24 Apr 2002 09:21:38 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: The Cygwin Server Daemon
Message-ID: <20020424092138.A3848@cygbert.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <FC169E059D1A0442A04C40F86D9BA7600C5ED7 AT itdomain003 DOT itdomain DOT net DOT au> <Pine DOT LNX DOT 4 DOT 33 DOT 0204230800540 DOT 9968-100000 AT fs1 DOT in>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.33.0204230800540.9968-100000@fs1.in>
User-Agent: Mutt/1.3.22.1i

On Tue, Apr 23, 2002 at 08:51:24AM -0700, Richard Troy wrote:
> at this point: _execve() code notices the suid/guid bits are set, checks
> that the file owner is not the caller and that the callers group list 
> does not include the files group id, and dispatches a message to
> cygserver. That message includes the path to the image - and does not 
> include the owner.group as a secondary guard to security at the cost of 
> having to fetch this information a second time.
> 
> At this point, I presume from your clue that cygserver calls 
> CreateProcess(), passing arguments which tell it to create that process in 
> the context (with the credentials) of the indicated user and group, along 
> with the image name, of course. ...CreateProcess() then returns a "handle" 
> to that process, and returns it to the caller. Or, does cygserver itself 
> switch contexts? (hope not - sounds painful) ...Of course, the caller then 
> returns the handle just as _execve() does.

What we're doing to change user context is to call a function
create_token() which is implemented in security.cc.  This is
used in seteuid() to call ImpersonateLoggedOnUser().  In case of
spawn_guts() we're calling CreateProcessAsUser() with that token.
This is IMO the way to go.  The cygserver gets user/group info.
Since it's running under SYSTEM account it has the right to
create a new token, then it CreateProcessAsUser(token) and returns
the process handle.  If cygserver didn't return a handle for
whatever reason, spawn_guts() has to go back to the standard action.
Which is, call CreateProcess(), don't care for switching user context.

> ...If I understand this right, it doesn't sound all that hard! I think I 
> saw code here somewhere that fetches the credentials, and I already have 
> glibc code that pulls user and group info from the system based on the 
> effective user ID of the current process... 

Please be careful.  Don't use any code from glibc!  It's LGPL'd
which taints the Cygwin license.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/