* sec_auth.cc (create_token): Add integrity level SID to token on

systems supporting that.  Remove useless check for dynamically loading
	NtCreateToken function.
	* sec_helper.cc (mandatory_medium_integrity_sid): Define.
	(mandatory_high_integrity_sid): Define.
	(mandatory_system_integrity_sid): Define.
	* sec_helper.h (mandatory_medium_integrity_sid): Declare.
	(mandatory_high_integrity_sid): Declare.
	(mandatory_system_integrity_sid): Declare.
This commit is contained in:
Corinna Vinschen 2008-04-22 10:45:34 +00:00
parent 1137c058e5
commit b1138f3d4b
4 changed files with 39 additions and 6 deletions

View File

@ -1,3 +1,15 @@
2008-04-22 Corinna Vinschen <corinna@vinschen.de>
* sec_auth.cc (create_token): Add integrity level SID to token on
systems supporting that. Remove useless check for dynamically loading
NtCreateToken function.
* sec_helper.cc (mandatory_medium_integrity_sid): Define.
(mandatory_high_integrity_sid): Define.
(mandatory_system_integrity_sid): Define.
* sec_helper.h (mandatory_medium_integrity_sid): Declare.
(mandatory_high_integrity_sid): Declare.
(mandatory_system_integrity_sid): Declare.
2008-04-21 Corinna Vinschen <corinna@vinschen.de>
* mount.cc (mount_info::init): Remove call to from_registry. Print

View File

@ -825,7 +825,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
/* Create a TOKEN_GROUPS list from the above retrieved list of sids. */
new_tok_gsids = (PTOKEN_GROUPS)
alloca (sizeof (DWORD) + tmp_gsids.count ()
alloca (sizeof (DWORD) + (tmp_gsids.count () + 1)
* sizeof (SID_AND_ATTRIBUTES));
new_tok_gsids->GroupCount = tmp_gsids.count ();
for (DWORD i = 0; i < new_tok_gsids->GroupCount; ++i)
@ -837,6 +837,23 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
}
if (auth_pos >= 0)
new_tok_gsids->Groups[auth_pos].Attributes |= SE_GROUP_LOGON_ID;
/* On systems supporting Mandatory Integrity Control, add a MIC SID. */
if (wincap.has_mandatory_integrity_control ())
{
new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes =
SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
if (usersid == well_known_system_sid)
new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
= mandatory_system_integrity_sid;
else if (tmp_gsids.contains (well_known_admins_sid))
new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
= mandatory_high_integrity_sid;
else
new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
= mandatory_medium_integrity_sid;
}
/* Retrieve list of privileges of that user. */
if (!(privs = get_priv_list (lsa, usersid, tmp_gsids, psize)))
goto out;
@ -847,11 +864,6 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
&pgrp, &dacl, &source);
if (ret)
__seterrno_from_nt_status (ret);
else if (GetLastError () == ERROR_PROC_NOT_FOUND)
{
__seterrno ();
debug_printf ("Loading NtCreateToken failed.");
}
else
{
/* Convert to primary token. */

View File

@ -60,6 +60,12 @@ MKSID (well_known_admins_sid, "S-1-5-32-544",
DOMAIN_ALIAS_RID_ADMINS);
MKSID (fake_logon_sid, "S-1-5-5-0-0",
SECURITY_NT_AUTHORITY, 3, SECURITY_LOGON_IDS_RID, 0, 0);
MKSID (mandatory_medium_integrity_sid, "S-1-16-8192",
SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_MEDIUM_RID);
MKSID (mandatory_high_integrity_sid, "S-1-16-12288",
SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_HIGH_RID);
MKSID (mandatory_system_integrity_sid, "S-1-16-16384",
SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_SYSTEM_RID);
bool
cygpsid::operator== (const char *nsidstr) const

View File

@ -323,6 +323,9 @@ extern cygpsid well_known_this_org_sid;
extern cygpsid well_known_system_sid;
extern cygpsid well_known_admins_sid;
extern cygpsid fake_logon_sid;
extern cygpsid mandatory_medium_integrity_sid;
extern cygpsid mandatory_high_integrity_sid;
extern cygpsid mandatory_system_integrity_sid;
bool privilege_luid (const char *pname, LUID *luid);