Cygwin: seteuid: refuse changing uid to disabled or locked out user

So far seteuid could change uid to any existing account, given
sufficient permissions of the caller.  This is kind of bad since
it disallows admins to refuse login to disabled or locked out
accounts.

Add check for the account's UF_ACCOUNTDISABLE or UF_LOCKOUT flags
and don't let the user in, if one of the flags is set.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
Corinna Vinschen 2019-01-24 16:22:49 +01:00
parent 2166f7dc0d
commit 2c12a2c32a
2 changed files with 18 additions and 0 deletions

View File

@ -81,3 +81,6 @@ Bug Fixes
- Fix thread names in GDB when cygthreads get reused. - Fix thread names in GDB when cygthreads get reused.
- Fix return value of gethostname in a border case. - Fix return value of gethostname in a border case.
- Disallow seteuid on disabled or locked out accounts.
Addresses: https://cygwin.com/ml/cygwin/2019-01/msg00197.html

View File

@ -553,6 +553,21 @@ get_server_groups (cygsidlist &grp_list, PSID usersid)
&& sid_sub_auth (usersid, 0) == SECURITY_NT_NON_UNIQUE && sid_sub_auth (usersid, 0) == SECURITY_NT_NON_UNIQUE
&& get_logon_server (domain, server, DS_IS_FLAT_NAME)) && get_logon_server (domain, server, DS_IS_FLAT_NAME))
{ {
NET_API_STATUS napi_stat;
USER_INFO_1 *ui1;
bool allow_user = false;
napi_stat = NetUserGetInfo (server, user, 1, (LPBYTE *) &ui1);
if (napi_stat == NERR_Success)
allow_user = !(ui1->usri1_flags & (UF_ACCOUNTDISABLE | UF_LOCKOUT));
if (ui1)
NetApiBufferFree (ui1);
if (!allow_user)
{
debug_printf ("User denied: %W\\%W", domain, user);
set_errno (EACCES);
return false;
}
get_user_groups (server, grp_list, user, domain); get_user_groups (server, grp_list, user, domain);
get_user_local_groups (server, domain, grp_list, user); get_user_local_groups (server, domain, grp_list, user);
} }