This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: PATCH: login under privileged user != SYSTEM
On Apr 18 04:32, Charles Wilson wrote:
> Corinna Vinschen wrote:
>> Cool, thanks! Would you mind to take over login maintainance, too? It
>> was always just the wagging tail of inetutils anyway...
>
> Sure.
Thank you! Igor? Can we get another gold star for Charles?
>> - I wouldn't do the automatic yes for uid 18 anymore. Even for NT/2K/XP
>> it would be more correct to check if the current account running the
> ^^^^^^^^^^^^^^^^^^^^^^^
>> process is the one with SID S-1-5-18.
>
> But that's not exactly what you want, here. Sometimes, login.c does
> isROOTUID(getuid())
> which could be replaced as you suggest. But *most* of the time, login.c
> does
> isROOTUID(pw->pw_uid)
> before it has actually switched to that user.
>
> And saying that isROOTUID(uid) ==
> {
> setuid(pw->pw_uid);
> isCurrentProcessRunningAsROOT();
> setuid(saved_uid);
> }
> is overkill -- especially as I want "isROOTUID(uid)" to work even if the
> current user does NOT have the privileges needed for setuid() to work.
That makes sense.
> ==== aside:
> And I wish I could have figured out how to make
> uidIsMemberOfLocalAdmin(uid_t uid), but if uid != current user it's really
> hard to get the either (a) the list of groups a particular user is a member
> of, or (b) the list of users that are members of a particular group. Since
> I already have a make-SID-from-uid method, if I had (a) I could iterate
> that list trying to match the local Administrators SID, or if I had (b) I
> could iterate through the list and compare to my SID-from-uid.
>
> I know there is NetUserGetLocalGroups, but what if the user is a member of
> a global group, and the local security policy makes that global group a
> member of the (local) Administrators group? With the multi-level inclusion
> of groups, it's almost easier to go the other way: get the local
> administrator group, and use (recursively) NetLocalGroupGetMembers and
> NetGroupGetUsers to build a list of all users that are (directly or by
> inclusion) members of the (local) Administrators group -- and THEN iterate
> that to see if any of them match SID-from-uid.
>
> But neither is easy.
> ==== end aside
Yes, I agree wholeheartedly. The handling of users and groups is
really complicated and you're coding your brain out of your head just
to *get* the information and tyhen you still have to test. It's
really not funny how much code you need to fetch certain types of
information.
> So, I'm still not checking that the uid specified is a member of the local
> Administrators group.
>
> I did discover one awkward thing: in my make-SID-from-uid function, I do
> the following
>
> 1. get struct passwd* for uid
> 2. cygwin_internal(CW_EXTRACT_DOMAIN_AND_USER, pw, domain, name);
> 3. get the servername for the domain by using either
> DsGetDcName or NetGetDCName
> 4. use NetUserGetInfo to get a PUSER_INFO_3 structure
> (if domain user, and call fails, try again locally...)
> 5. use LookupAccountName to get the SID
> (if basic call fails and returned account type is SidTypeDomain,
> try again after adding domain spec to username)
>
> However, if uid = 18 it turns out that NetUserGetInfo(....,
> toUnicode("LocalSystem"),...) always fails. I even tested that proposition
> in a quick test app. It just doesn't work.
As for an account being Administrator, and apart from special accounts
like SYSTEM or LOCAL_SERVICE...
What about just checking the value of PUSER_INFO_3->usri3_priv? It may
contain the value USER_PRIV_ADMIN. That should be sufficient, afaics.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/