This is the mail archive of the cygwin-patches@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Problems on accessing Windows network resources


Corinna, 

Here is the patch to preserve the external token.

After mulling over the issue, I settled on a solution
close to what I had initially in mind, i.e. separate
external and internal tokens. It always behaves as
expected, we don't have to assume anything about what
the application expects in the cases where the orig_uid 
matches the impersonated uid and only the group(s) 
differ(s).

It also handles a case that had bothered me: daemon
starts, setgroups(0, NULL), and setuid, thus possibly
creating an internal token [ exim does this ]. 
User logs in, daemon calls cygwin_set_impersonation_token() 
and wipes out its own token... [ exim doesn't do that :) ]

You will see that cygwin_set_impersonation_token() should
now return a success/failure indication, instead of void.
That's not done yet, waiting for your opinion.

Pierre

2003-06-12  Pierre Humblet  <pierre.humblet@ieee.org>

	* cygheap.h (enum impersonation): New enum.
	(cygheap_user::token): Delete.
	(cygheap_user::impersonated): Delete.
	(cygheap_user::external_token): New member.
	(cygheap_user::internal_token): New member.
	(cygheap_user::impersonation_state): New member.
	(cygheap_user::issetuid): Modify.
	(cygheap_user::token): New method.
	(cygheap_user::deimpersonate): New method.
	(cygheap_user::reimpersonate): New method.
	(cygheap_user::has_impersonation_tokens): New method.
	(cygheap_user::close_impersonation_tokens): New method.
	* dtable.cc (dtable::vfork_child_dup): Use new cygheap_user methods.
	* fhandler_socket.cc (fhandler_socket::dup): Ditto.
	* fork.cc (fork_child): Ditto.
	(fork_parent): Ditto.
	* grp.cc (internal_getgroups): Ditto.
	* security.cc (verify_token): Ditto.
	(check_file_access): Ditto.
	(cygwin_set_impersonation_token): Detect conflicts. Set 
	user.external_token. 
	* spawn.cc (spawn_guts): Use new cygheap_user methods. 
	* syscalls.cc (seteuid32): Rearrange to use the two tokens
	in cygheap_user.
	(setegid32): Use new cygheap_user methods.
	* uinfo.cc: (internal_getlogin): Ditto. 

Attachment: security.diff
Description: Text document


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]