************************************************************************** Debug output demonstrating the token ACL problem NT 4 ************************************************************************** 1) For reference, here is process token of a normal unprivileged user. The "SECURITY INFO" section shows that the user has full access to its token. Such a user has no problem reading the perflib registry key, even though it is non privileged. /******************* Token Start ****************************/ /******************* Token User */ testuser PHumblet SidTypeUser /******************* Token Type */ TokenPrimary /******************* Token Source */ Token source User32 /******************* Token Security */ *************** SECURITY INFO START ************* Owner: testuser PHumblet SidTypeUser Group: None PHumblet SidTypeGroup ACL: 0 PHumblet\testuser (form==name) SET_ACCESS Inher 0 TRUSTEE_IS_USER TOKEN_ASSIGN_PRIMARY, TOKEN_DUPLICATE, TOKEN_IMPERSONATE, TOKEN_QUERY, TOKEN_QUERY_SOURCE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, TOKEN_ADJUST_DEFAULT, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, 1 NT AUTHORITY\SYSTEM (form==name) SET_ACCESS Inher 0 TRUSTEE_IS_WELL_KNOWN_GROUP TOKEN_ASSIGN_PRIMARY, TOKEN_DUPLICATE, TOKEN_IMPERSONATE, TOKEN_QUERY, TOKEN_QUERY_SOURCE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, TOKEN_ADJUST_DEFAULT, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, *************** SECURITY INFO END ************* /******************* Token Groups */ None PHumblet SidTypeGroup SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, Everyone SidTypeWellKnownGroup SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, Users BUILTIN SidTypeAlias SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, LookupAccountSid: error 1332 1 3 0 0 0 0 0 5 5 0 SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_LOGON_ID, SE_GROUP_MANDATORY, LOCAL SidTypeWellKnownGroup SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, INTERACTIVE NT AUTHORITY SidTypeWellKnownGroup SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, Authenticated Users NT AUTHORITY SidTypeWellKnownGroup SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, /******************* Token restricted sids */ GetTokenInfo 87 300 172 <=== No restricted SIDs /******************* Token privileges */ SeChangeNotifyPrivilege SE_PRIVILEGE_ENABLED, SE_PRIVILEGE_ENABLED_BY_DEFAULT, SeShutdownPrivilege /******************* Token Owner */ testuser PHumblet SidTypeUser /******************* Token Primary group */ None PHumblet SidTypeGroup /******************* Token DACL */ 0 PHumblet\testuser (form==name) SET_ACCESS Inher 0 TRUSTEE_IS_USER 1 NT AUTHORITY\SYSTEM (form==name) SET_ACCESS Inher 0 TRUSTEE_IS_WELL_KNOWN_GROUP /******************* Token End ****************************/ 2) This is the impersonation token when both setgid(1005) and setuid(1004) have been called. Process was started by cygrunsrv under SYSTEM /******************* Token Start ****************************/ /******************* Token User */ SYSTEM NT AUTHORITY SidTypeUser <=== STRANGE LookupAccountSid() S-1-5-21-2127391503-1594901184-99485923-1004 <=== CORRECT SID /******************* Token Type */ TokenImpersonation /******************* Token Source */ Token source Cygwin.1 /******************* Token Security */ *************** SECURITY INFO START ************* Owner: SYSTEM NT AUTHORITY SidTypeWellKnownGroup S-1-5-18 Group: mailgrp PHumblet SidTypeAlias <=== CORRECT GID S-1-5-21-2127391503-1594901184-99485923-1005 ACL: <=== 1004 has no access 0 NT AUTHORITY\SYSTEM (form==name) SET_ACCESS Inher 0 TRUSTEE_IS_USER TOKEN_ASSIGN_PRIMARY, TOKEN_DUPLICATE, TOKEN_IMPERSONATE, TOKEN_QUERY, TOKEN_QUERY_SOURCE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, TOKEN_ADJUST_DEFAULT, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, 1 BUILTIN\Administrators (form==name) SET_ACCESS Inher 0 TRUSTEE_IS_ALIAS TOKEN_QUERY, READ_CONTROL, *************** SECURITY INFO END ************* /******************* Token Groups */ Everyone SidTypeWellKnownGroup S-1-1-0 SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, Authenticated Users NT AUTHORITY SidTypeWellKnownGroup S-1-5-11 SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, Users BUILTIN SidTypeAlias S-1-5-32-545 SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, mailgrp PHumblet SidTypeAlias S-1-5-21-2127391503-1594901184-99485923-1005 SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, /******************* Token restricted sids */ GetTokenInfo 87 <=== No restricted SIDs /******************* Token privileges */ SeChangeNotifyPrivilege SE_PRIVILEGE_ENABLED, SE_PRIVILEGE_ENABLED_BY_DEFAULT, SeShutdownPrivilege SE_PRIVILEGE_ENABLED, SE_PRIVILEGE_ENABLED_BY_DEFAULT, /******************* Token Owner */ SYSTEM NT AUTHORITY SidTypeUser S-1-5-21-2127391503-1594901184-99485923-1004 /******************* Token Primary group */ mailgrp PHumblet SidTypeAlias S-1-5-21-2127391503-1594901184-99485923-1005 /******************* Token DACL */ 0 NT AUTHORITY\SYSTEM (form==name) SET_ACCESS Inher 0 TRUSTEE_IS_USER 1 îþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþ (form==name) <=== NO IDEA WHY THIS IS GARBLED SET_ACCESS Inher 0 TRUSTEE_IS_USER <=== WILL LOOK AT IT NEXT WEEK /******************* Token End ****************************/ RegOpenKeyEx returned 0 <======= Success RegQueryValueEx returned 5 <======= FAILS 3) Impersonation token, after I clear its ACL InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION); SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE); SetKernelObjectSecurity(ThreadHandle, DACL_SECURITY_INFORMATION, &sd); (I did this for simplicity, I should set the ACL to something. Putting such code in seteuid(0 [syscalls.c] should work) The thread is now able to read the registry key. UNFORTUNATELY, after a fork() the ACL goes back to its non-null value and the registry key can't be read again. (This is not shown here). /******************* Token Start ****************************/ /******************* Token User */ SYSTEM NT AUTHORITY SidTypeUser S-1-5-21-2127391503-1594901184-99485923-1004 /******************* Token Type */ TokenImpersonation /******************* Token Source */ Token source Cygwin.1 /******************* Token Security */ *************** SECURITY INFO START ************* Owner: SYSTEM NT AUTHORITY SidTypeWellKnownGroup S-1-5-18 Group: mailgrp PHumblet SidTypeAlias S-1-5-21-2127391503-1594901184-99485923-1005 ACL: <====== ACL was cleared ACL is null *************** SECURITY INFO END ************* /******************* Token Groups */ Everyone SidTypeWellKnownGroup S-1-1-0 SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, Authenticated Users NT AUTHORITY SidTypeWellKnownGroup S-1-5-11 SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, Users BUILTIN SidTypeAlias S-1-5-32-545 SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, mailgrp PHumblet SidTypeAlias S-1-5-21-2127391503-1594901184-99485923-1005 SE_GROUP_ENABLED, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_MANDATORY, /******************* Token restricted sids */ GetTokenInfo 87 300 104 /******************* Token privileges */ SeChangeNotifyPrivilege SE_PRIVILEGE_ENABLED, SE_PRIVILEGE_ENABLED_BY_DEFAULT, SeShutdownPrivilege SE_PRIVILEGE_ENABLED, SE_PRIVILEGE_ENABLED_BY_DEFAULT, /******************* Token Owner */ SYSTEM NT AUTHORITY SidTypeUser S-1-5-21-2127391503-1594901184-99485923-1004 /******************* Token Primary group */ mailgrp PHumblet SidTypeAlias S-1-5-21-2127391503-1594901184-99485923-1005 /******************* Token DACL */ 0 NT AUTHORITY\SYSTEM (form==name) SET_ACCESS Inher 0 TRUSTEE_IS_USER 1 îþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþîþ (form==name) SET_ACCESS Inher 0 TRUSTEE_IS_USER /******************* Token End ****************************/ RegOpenKeyEx returned 0 RegQueryValueEx returned 0 <==== IT WORKS 4) For reference, here is the SECURITY INFO of the key "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\009" *************** SECURITY INFO START ************* Owner: Administrators BUILTIN SidTypeAlias Group: LookupAccountSid: error 1332 1 5 0 0 0 0 0 5 15 0 ACL: 0 Everyone (form==name) SET_ACCESS Inher 2 TRUSTEE_IS_WELL_KNOWN_GROUP KEY_QUERY_VALUE, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, READ_CONTROL, 1 BUILTIN\Administrators (form==name) SET_ACCESS Inher 2 TRUSTEE_IS_ALIAS KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, KEY_CREATE_LINK, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, 2 NT AUTHORITY\SYSTEM (form==name) SET_ACCESS Inher 2 TRUSTEE_IS_USER KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, KEY_CREATE_LINK, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, 3 CREATOR OWNER (form==name) SET_ACCESS Inher 2 TRUSTEE_IS_WELL_KNOWN_GROUP KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, KEY_CREATE_LINK, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, *************** SECURITY INFO END *************