Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT cygwin DOT com Delivered-To: mailing list cygwin-developers AT cygwin DOT com Date: Fri, 13 Dec 2002 12:50:04 +0100 From: Corinna Vinschen To: cygwin-developers AT cygwin DOT com Subject: Re: Subauthentication Message-ID: <20021213125004.O7796@cygbert.vinschen.de> Reply-To: cygwin-developers AT cygwin DOT com Mail-Followup-To: cygwin-developers AT cygwin DOT com References: <3DF50D30 DOT AE8FA801 AT ieee DOT org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.22.1i On Fri, Dec 13, 2002 at 11:55:46AM +0100, Hartmut Honisch wrote: > Hi Pierre, > > I think I found a way to make GetUserName return the correct user after > impersonating a token created my NtCreateToken: The token needs a valid > logon session id, one that is associated with the correct user. > > As I mentioned, when logging on, Windows creates a new logon session, and > LSA associates the username with that session. > > And even though NtCreateToken allows to specify a TokenUser, It seems that > when impersonating a token, Windows replaces the TokenUser by the user > associated with the token's logon session id. And since create_token uses > the active logon session associated with the _impersonating_ user, not the > user to _be_ impersonated, TokenUser will contain the wrong user name after > impersonating it. > > So I successfully tried the following approch: > - use subauthentication to create a new logon session for the new user > - if the token is suitable (i.e. verify_token returns TRUE), use it for > impersonation > - if the token is not suitable(because of the setgid issues you explained to > me), call create_token, but reuse the subauthentication token's logon > session id in the new token. > > I verified that with a token created by NtCreateToken (with the right logon > session id of course), I'm able to impersonate and GetUserName / > GetTokenInformation(...TokenUser...) will give me the correct user. That sounds really interesting. If we turn around the order in seteuid again (first call subauth, if that fails create_token) we could use that extra step as explained above to create a correct logon token. It's just important, that the current NTCreateToken stuff still works as today if subauth is not installed. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc.