* advapi32.cc (GetTokenInformation): Remove.
(SetTokenInformation): Remove. * grp.cc: Replace above functions throughout with their ntdll.dll equivalent. * sec_auth.cc: Ditto. * syscalls.cc: Ditto. * uinfo.cc: Ditto.
This commit is contained in:
parent
541820d0ee
commit
12eac211c9
|
@ -1,3 +1,13 @@
|
|||
2011-04-29 Corinna Vinschen <corinna@vinschen.de>
|
||||
|
||||
* advapi32.cc (GetTokenInformation): Remove.
|
||||
(SetTokenInformation): Remove.
|
||||
* grp.cc: Replace above functions throughout with their ntdll.dll
|
||||
equivalent.
|
||||
* sec_auth.cc: Ditto.
|
||||
* syscalls.cc: Ditto.
|
||||
* uinfo.cc: Ditto.
|
||||
|
||||
2011-04-29 Corinna Vinschen <corinna@vinschen.de>
|
||||
|
||||
* posix_ipc.cc (ipc_cond_timedwait): Only wait for pthread's
|
||||
|
|
|
@ -82,22 +82,6 @@ OpenThreadToken (HANDLE thread, DWORD access, BOOL as_self, PHANDLE tok)
|
|||
DEFAULT_NTSTATUS_TO_BOOL_RETURN
|
||||
}
|
||||
|
||||
BOOL WINAPI
|
||||
GetTokenInformation(HANDLE tok, TOKEN_INFORMATION_CLASS infoclass, LPVOID buf,
|
||||
DWORD len, PDWORD retlen)
|
||||
{
|
||||
NTSTATUS status = NtQueryInformationToken (tok, infoclass, buf, len, retlen);
|
||||
DEFAULT_NTSTATUS_TO_BOOL_RETURN
|
||||
}
|
||||
|
||||
BOOL WINAPI
|
||||
SetTokenInformation (HANDLE tok, TOKEN_INFORMATION_CLASS infoclass, PVOID buf,
|
||||
ULONG len)
|
||||
{
|
||||
NTSTATUS status = NtSetInformationToken (tok, infoclass, buf, len);
|
||||
DEFAULT_NTSTATUS_TO_BOOL_RETURN
|
||||
}
|
||||
|
||||
BOOL WINAPI
|
||||
RevertToSelf ()
|
||||
{
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/* grp.cc
|
||||
|
||||
Copyright 1996, 1997, 1998, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
|
||||
2007, 2008, 2009 Red Hat, Inc.
|
||||
2007, 2008, 2009, 2011 Red Hat, Inc.
|
||||
|
||||
Original stubs by Jason Molenda of Cygnus Support, crash@cygnus.com
|
||||
First implementation by Gunther Ebert, gunther.ebert@ixos-leipzig.de
|
||||
|
@ -21,6 +21,7 @@ details. */
|
|||
#include "fhandler.h"
|
||||
#include "dtable.h"
|
||||
#include "cygheap.h"
|
||||
#include "ntdll.h"
|
||||
#include "pwdgrp.h"
|
||||
|
||||
static __group32 *group_buf;
|
||||
|
@ -314,8 +315,9 @@ internal_getgrent (int pos)
|
|||
int
|
||||
internal_getgroups (int gidsetsize, __gid32_t *grouplist, cygpsid * srchsid)
|
||||
{
|
||||
NTSTATUS status;
|
||||
HANDLE hToken = NULL;
|
||||
DWORD size;
|
||||
ULONG size;
|
||||
int cnt = 0;
|
||||
struct __group32 *gr;
|
||||
|
||||
|
@ -345,12 +347,14 @@ internal_getgroups (int gidsetsize, __gid32_t *grouplist, cygpsid * srchsid)
|
|||
else
|
||||
hToken = hProcToken;
|
||||
|
||||
if (GetTokenInformation (hToken, TokenGroups, NULL, 0, &size)
|
||||
|| GetLastError () == ERROR_INSUFFICIENT_BUFFER)
|
||||
status = NtQueryInformationToken (hToken, TokenGroups, NULL, 0, &size);
|
||||
if (NT_SUCCESS (status) || status == STATUS_BUFFER_TOO_SMALL)
|
||||
{
|
||||
PTOKEN_GROUPS groups = (PTOKEN_GROUPS) alloca (size);
|
||||
|
||||
if (GetTokenInformation (hToken, TokenGroups, groups, size, &size))
|
||||
status = NtQueryInformationToken (hToken, TokenGroups, groups,
|
||||
size, &size);
|
||||
if (NT_SUCCESS (status))
|
||||
{
|
||||
cygsid sid;
|
||||
|
||||
|
@ -379,7 +383,7 @@ internal_getgroups (int gidsetsize, __gid32_t *grouplist, cygpsid * srchsid)
|
|||
}
|
||||
}
|
||||
else
|
||||
debug_printf ("%d = GetTokenInformation(NULL) %E", size);
|
||||
debug_printf ("%lu = NtQueryInformationToken(NULL) %p", size, status);
|
||||
return cnt;
|
||||
|
||||
error:
|
||||
|
|
|
@ -32,7 +32,7 @@ details. */
|
|||
|
||||
/* Starting with Windows Vista, the token returned by system functions
|
||||
is a restricted token. The full admin token is linked to it and can
|
||||
be fetched with GetTokenInformation. This function returns the original
|
||||
be fetched with NtQueryInformationToken. This function returns the original
|
||||
token on pre-Vista, and the elevated token on Vista++ if it's available,
|
||||
the original token otherwise. The token handle is also made inheritable
|
||||
since that's necessary anyway. */
|
||||
|
@ -42,7 +42,7 @@ get_full_privileged_inheritable_token (HANDLE token)
|
|||
if (wincap.has_mandatory_integrity_control ())
|
||||
{
|
||||
TOKEN_LINKED_TOKEN linked;
|
||||
DWORD size;
|
||||
ULONG size;
|
||||
|
||||
/* When fetching the linked token without TCB privs, then the linked
|
||||
token is not a primary token, only an impersonation token, which is
|
||||
|
@ -50,8 +50,9 @@ get_full_privileged_inheritable_token (HANDLE token)
|
|||
token using DuplicateTokenEx does NOT work for the linked token in
|
||||
this case. So we have to switch on TCB privs to get a primary token.
|
||||
This is generally performed in the calling functions. */
|
||||
if (GetTokenInformation (token, TokenLinkedToken,
|
||||
(PVOID) &linked, sizeof linked, &size))
|
||||
if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken,
|
||||
(PVOID) &linked, sizeof linked,
|
||||
&size)))
|
||||
{
|
||||
debug_printf ("Linked Token: %p", linked.LinkedToken);
|
||||
if (linked.LinkedToken)
|
||||
|
@ -61,8 +62,9 @@ get_full_privileged_inheritable_token (HANDLE token)
|
|||
/* At this point we don't know if the user actually had TCB
|
||||
privileges. Check if the linked token is a primary token.
|
||||
If not, just return the original token. */
|
||||
if (GetTokenInformation (linked.LinkedToken, TokenType,
|
||||
(PVOID) &type, sizeof type, &size)
|
||||
if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken,
|
||||
TokenType, (PVOID) &type,
|
||||
sizeof type, &size))
|
||||
&& type != TokenPrimary)
|
||||
debug_printf ("Linked Token is not a primary token!");
|
||||
else
|
||||
|
@ -660,23 +662,26 @@ get_priv_list (LSA_HANDLE lsa, cygsid &usersid, cygsidlist &grp_list,
|
|||
bool
|
||||
verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
|
||||
{
|
||||
DWORD size;
|
||||
NTSTATUS status;
|
||||
ULONG size;
|
||||
bool intern = false;
|
||||
|
||||
if (pintern)
|
||||
{
|
||||
TOKEN_SOURCE ts;
|
||||
if (!GetTokenInformation (token, TokenSource,
|
||||
&ts, sizeof ts, &size))
|
||||
debug_printf ("GetTokenInformation(), %E");
|
||||
status = NtQueryInformationToken (token, TokenSource, &ts, sizeof ts,
|
||||
&size);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtQueryInformationToken(), %p", status);
|
||||
else
|
||||
*pintern = intern = !memcmp (ts.SourceName, "Cygwin.1", 8);
|
||||
}
|
||||
/* Verify usersid */
|
||||
cygsid tok_usersid = NO_SID;
|
||||
if (!GetTokenInformation (token, TokenUser,
|
||||
&tok_usersid, sizeof tok_usersid, &size))
|
||||
debug_printf ("GetTokenInformation(), %E");
|
||||
status = NtQueryInformationToken (token, TokenUser, &tok_usersid,
|
||||
sizeof tok_usersid, &size);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtQueryInformationToken(), %p", status);
|
||||
if (usersid != tok_usersid)
|
||||
return false;
|
||||
|
||||
|
@ -705,17 +710,24 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
|
|||
}
|
||||
|
||||
PTOKEN_GROUPS my_grps;
|
||||
bool sawpg = false, ret = false;
|
||||
|
||||
if (!GetTokenInformation (token, TokenGroups, NULL, 0, &size) &&
|
||||
GetLastError () != ERROR_INSUFFICIENT_BUFFER)
|
||||
debug_printf ("GetTokenInformation(token, TokenGroups), %E");
|
||||
else if (!(my_grps = (PTOKEN_GROUPS) alloca (size)))
|
||||
debug_printf ("alloca (my_grps) failed.");
|
||||
else if (!GetTokenInformation (token, TokenGroups, my_grps, size, &size))
|
||||
debug_printf ("GetTokenInformation(my_token, TokenGroups), %E");
|
||||
else
|
||||
status = NtQueryInformationToken (token, TokenGroups, NULL, 0, &size);
|
||||
if (!NT_SUCCESS (status) && status != STATUS_BUFFER_TOO_SMALL)
|
||||
{
|
||||
debug_printf ("NtQueryInformationToken(token, TokenGroups), %p", status);
|
||||
return false;
|
||||
}
|
||||
my_grps = (PTOKEN_GROUPS) alloca (size);
|
||||
status = NtQueryInformationToken (token, TokenGroups, my_grps, size, &size);
|
||||
if (!NT_SUCCESS (status))
|
||||
{
|
||||
debug_printf ("NtQueryInformationToken(my_token, TokenGroups), %p",
|
||||
status);
|
||||
return false;
|
||||
}
|
||||
|
||||
bool sawpg = false;
|
||||
|
||||
if (groups.issetgroups ()) /* setgroups was called */
|
||||
{
|
||||
cygsid gsid;
|
||||
|
@ -758,12 +770,10 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
|
|||
return false;
|
||||
}
|
||||
/* The primary group must be in the token */
|
||||
ret = sawpg
|
||||
return sawpg
|
||||
|| sid_in_token_groups (my_grps, groups.pgsid)
|
||||
|| groups.pgsid == usersid;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
HANDLE
|
||||
create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
|
||||
|
@ -795,7 +805,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
|
|||
HANDLE primary_token = INVALID_HANDLE_VALUE;
|
||||
|
||||
PTOKEN_GROUPS my_tok_gsids = NULL;
|
||||
DWORD size;
|
||||
ULONG size;
|
||||
size_t psize = 0;
|
||||
|
||||
/* SE_CREATE_TOKEN_NAME privilege needed to call NtCreateToken. */
|
||||
|
@ -817,28 +827,39 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
|
|||
id of the user account running current process. */
|
||||
if (usersid == well_known_system_sid)
|
||||
/* nothing to do */;
|
||||
else if (!GetTokenInformation (hProcToken, TokenStatistics,
|
||||
&stats, sizeof stats, &size))
|
||||
debug_printf
|
||||
("GetTokenInformation(hProcToken, TokenStatistics), %E");
|
||||
else
|
||||
{
|
||||
status = NtQueryInformationToken (hProcToken, TokenStatistics,
|
||||
&stats, sizeof stats, &size);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtQueryInformationToken(hProcToken, "
|
||||
"TokenStatistics), %p", status);
|
||||
else
|
||||
auth_luid = stats.AuthenticationId;
|
||||
}
|
||||
|
||||
/* Retrieving current processes group list to be able to inherit
|
||||
some important well known group sids. */
|
||||
if (!GetTokenInformation (hProcToken, TokenGroups, NULL, 0, &size)
|
||||
&& GetLastError () != ERROR_INSUFFICIENT_BUFFER)
|
||||
debug_printf ("GetTokenInformation(hProcToken, TokenGroups), %E");
|
||||
status = NtQueryInformationToken (hProcToken, TokenGroups, NULL, 0,
|
||||
&size);
|
||||
if (!NT_SUCCESS (status) && status != STATUS_BUFFER_TOO_SMALL)
|
||||
debug_printf ("NtQueryInformationToken(hProcToken, TokenGroups), %p",
|
||||
status);
|
||||
else if (!(my_tok_gsids = (PTOKEN_GROUPS) malloc (size)))
|
||||
debug_printf ("malloc (my_tok_gsids) failed.");
|
||||
else if (!GetTokenInformation (hProcToken, TokenGroups, my_tok_gsids,
|
||||
size, &size))
|
||||
else
|
||||
{
|
||||
debug_printf ("GetTokenInformation(hProcToken, TokenGroups), %E");
|
||||
status = NtQueryInformationToken (hProcToken, TokenGroups,
|
||||
my_tok_gsids, size, &size);
|
||||
if (!NT_SUCCESS (status))
|
||||
{
|
||||
debug_printf ("NtQueryInformationToken(hProcToken, TokenGroups), "
|
||||
"%p", status);
|
||||
free (my_tok_gsids);
|
||||
my_tok_gsids = NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* Create list of groups, the user is member in. */
|
||||
int auth_pos;
|
||||
|
|
|
@ -2961,6 +2961,8 @@ seteuid32 (__uid32_t uid)
|
|||
|
||||
if (new_token != hProcToken)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
if (!request_restricted_uid_switch)
|
||||
{
|
||||
/* Avoid having HKCU use default user */
|
||||
|
@ -2969,21 +2971,27 @@ seteuid32 (__uid32_t uid)
|
|||
}
|
||||
|
||||
/* Try setting owner to same value as user. */
|
||||
if (!SetTokenInformation (new_token, TokenOwner,
|
||||
&usersid, sizeof usersid))
|
||||
debug_printf ("SetTokenInformation(user.token, TokenOwner), %E");
|
||||
status = NtSetInformationToken (new_token, TokenOwner,
|
||||
&usersid, sizeof usersid);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtSetInformationToken (user.token, TokenOwner), %p",
|
||||
status);
|
||||
/* Try setting primary group in token to current group */
|
||||
if (!SetTokenInformation (new_token, TokenPrimaryGroup,
|
||||
&groups.pgsid, sizeof (cygsid)))
|
||||
debug_printf ("SetTokenInformation(user.token, TokenPrimaryGroup), %E");
|
||||
status = NtSetInformationToken (new_token, TokenPrimaryGroup,
|
||||
&groups.pgsid, sizeof (cygsid));
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtSetInformationToken (user.token, TokenPrimaryGroup),"
|
||||
"%p", status);
|
||||
/* Try setting default DACL */
|
||||
PACL dacl_buf = (PACL) alloca (MAX_DACL_LEN (5));
|
||||
if (sec_acl (dacl_buf, true, true, usersid))
|
||||
{
|
||||
TOKEN_DEFAULT_DACL tdacl = { dacl_buf };
|
||||
if (!SetTokenInformation (new_token, TokenDefaultDacl,
|
||||
&tdacl, sizeof (tdacl)))
|
||||
debug_printf ("SetTokenInformation (TokenDefaultDacl), %E");
|
||||
status = NtSetInformationToken (new_token, TokenDefaultDacl,
|
||||
&tdacl, sizeof (tdacl));
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtSetInformationToken (TokenDefaultDacl), %p",
|
||||
status);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -3095,6 +3103,7 @@ setegid32 (__gid32_t gid)
|
|||
return 0;
|
||||
}
|
||||
|
||||
NTSTATUS status;
|
||||
user_groups * groups = &cygheap->user.groups;
|
||||
cygsid gsid;
|
||||
struct __group32 * gr = internal_getgrgid (gid);
|
||||
|
@ -3110,17 +3119,23 @@ setegid32 (__gid32_t gid)
|
|||
if (cygheap->user.issetuid ())
|
||||
{
|
||||
/* If impersonated, update impersonation token... */
|
||||
if (!SetTokenInformation (cygheap->user.primary_token (),
|
||||
TokenPrimaryGroup, &gsid, sizeof gsid))
|
||||
debug_printf ("SetTokenInformation(primary_token, "
|
||||
"TokenPrimaryGroup), %E");
|
||||
if (!SetTokenInformation (cygheap->user.imp_token (), TokenPrimaryGroup,
|
||||
&gsid, sizeof gsid))
|
||||
debug_printf ("SetTokenInformation(token, TokenPrimaryGroup), %E");
|
||||
status = NtSetInformationToken (cygheap->user.primary_token (),
|
||||
TokenPrimaryGroup, &gsid, sizeof gsid);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtSetInformationToken (primary_token, "
|
||||
"TokenPrimaryGroup), %p", status);
|
||||
status = NtSetInformationToken (cygheap->user.imp_token (),
|
||||
TokenPrimaryGroup, &gsid, sizeof gsid);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtSetInformationToken (token, TokenPrimaryGroup), %p",
|
||||
status);
|
||||
}
|
||||
cygheap->user.deimpersonate ();
|
||||
if (!SetTokenInformation (hProcToken, TokenPrimaryGroup, &gsid, sizeof gsid))
|
||||
debug_printf ("SetTokenInformation(hProcToken, TokenPrimaryGroup), %E");
|
||||
status = NtSetInformationToken (hProcToken, TokenPrimaryGroup,
|
||||
&gsid, sizeof gsid);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtSetInformationToken (hProcToken, TokenPrimaryGroup), %p",
|
||||
status);
|
||||
clear_procimptoken ();
|
||||
cygheap->user.reimpersonate ();
|
||||
return 0;
|
||||
|
|
|
@ -59,32 +59,35 @@ cygheap_user::init ()
|
|||
else
|
||||
set_name ("unknown");
|
||||
|
||||
DWORD siz;
|
||||
NTSTATUS status;
|
||||
ULONG size;
|
||||
PSECURITY_DESCRIPTOR psd;
|
||||
|
||||
if (!GetTokenInformation (hProcToken, TokenPrimaryGroup,
|
||||
&groups.pgsid, sizeof (cygsid), &siz))
|
||||
system_printf ("GetTokenInformation (TokenPrimaryGroup), %E");
|
||||
status = NtQueryInformationToken (hProcToken, TokenPrimaryGroup,
|
||||
&groups.pgsid, sizeof (cygsid), &size);
|
||||
if (!NT_SUCCESS (status))
|
||||
system_printf ("NtQueryInformationToken (TokenPrimaryGroup), %p", status);
|
||||
|
||||
/* Get the SID from current process and store it in effec_cygsid */
|
||||
if (!GetTokenInformation (hProcToken, TokenUser, &effec_cygsid,
|
||||
sizeof (cygsid), &siz))
|
||||
status = NtQueryInformationToken (hProcToken, TokenUser, &effec_cygsid,
|
||||
sizeof (cygsid), &size);
|
||||
if (!NT_SUCCESS (status))
|
||||
{
|
||||
system_printf ("GetTokenInformation (TokenUser), %E");
|
||||
system_printf ("NtQueryInformationToken (TokenUser), %p", status);
|
||||
return;
|
||||
}
|
||||
|
||||
/* Set token owner to the same value as token user */
|
||||
if (!SetTokenInformation (hProcToken, TokenOwner, &effec_cygsid,
|
||||
sizeof (cygsid)))
|
||||
debug_printf ("SetTokenInformation(TokenOwner), %E");
|
||||
status = NtSetInformationToken (hProcToken, TokenOwner, &effec_cygsid,
|
||||
sizeof (cygsid));
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtSetInformationToken(TokenOwner), %p", status);
|
||||
|
||||
/* Standard way to build a security descriptor with the usual DACL */
|
||||
PSECURITY_ATTRIBUTES sa_buf = (PSECURITY_ATTRIBUTES) alloca (1024);
|
||||
psd = (PSECURITY_DESCRIPTOR)
|
||||
(sec_user_nih (sa_buf, sid()))->lpSecurityDescriptor;
|
||||
|
||||
NTSTATUS status;
|
||||
BOOLEAN acl_exists, dummy;
|
||||
TOKEN_DEFAULT_DACL dacl;
|
||||
|
||||
|
@ -94,9 +97,10 @@ cygheap_user::init ()
|
|||
{
|
||||
|
||||
/* Set the default DACL and the process DACL */
|
||||
if (!SetTokenInformation (hProcToken, TokenDefaultDacl, &dacl,
|
||||
sizeof (dacl)))
|
||||
system_printf ("SetTokenInformation (TokenDefaultDacl), %E");
|
||||
status = NtSetInformationToken (hProcToken, TokenDefaultDacl, &dacl,
|
||||
sizeof (dacl));
|
||||
if (!NT_SUCCESS (status))
|
||||
system_printf ("NtSetInformationToken (TokenDefaultDacl), %p", status);
|
||||
if ((status = NtSetSecurityObject (NtCurrentProcess (),
|
||||
DACL_SECURITY_INFORMATION, psd)))
|
||||
system_printf ("NtSetSecurityObject, %lx", status);
|
||||
|
@ -128,9 +132,12 @@ internal_getlogin (cygheap_user &user)
|
|||
if (gsid != user.groups.pgsid)
|
||||
{
|
||||
/* Set primary group to the group in /etc/passwd. */
|
||||
if (!SetTokenInformation (hProcToken, TokenPrimaryGroup,
|
||||
&gsid, sizeof gsid))
|
||||
debug_printf ("SetTokenInformation(TokenPrimaryGroup), %E");
|
||||
NTSTATUS status = NtSetInformationToken (hProcToken,
|
||||
TokenPrimaryGroup,
|
||||
&gsid, sizeof gsid);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("NtSetInformationToken (TokenPrimaryGroup), %p",
|
||||
status);
|
||||
else
|
||||
user.groups.pgsid = gsid;
|
||||
clear_procimptoken ();
|
||||
|
|
Loading…
Reference in New Issue