Commit Graph

102 Commits

Author SHA1 Message Date
J.H. van de Water 7b06893f93 Cygwin: fix: seteuid32() must return EPERM if privileges are not held.
Starting w/ the intro of S4U, seteuid32() calls lsaprivkeyauth(), then
s4uauth(). s4uauth calls LsaRegisterLogonProcess().
LsaRegisterLogonProcess fails w/ STATUS_PORT_CONNECTION_REFUSED, if the
proper privileges are not held.
Because of RtlNtStatusToDosError(), this status would be mapped to
ERROR_ACCESS_DENIED, which in turn would map to EACCES. Therefore it is
useless to add this status to errmap[] (errno.cc), as s4auauth() should
return EPERM as errno here (i.e. if process is not privileged).

Hence the kludge.

Before the intro of S4U, seteuid32() called lsaprivkeyauth(), then
lsaauth(), then create_token(). Before the intro of Vista, the latter
would have called NtCreateToken().
NtCreateToken() would have failed w/ STATUS_PRIVILEGE_NOT_HELD for a
process w/o the proper privileges. In that case, calling seteuid32()
would have returned EPERM (as required).

Since the intro of Vista, and if the process had been started from an
UNelevated shell, create_token() does NOT reach NtCreateToken()!
As create_token() failed to properly set errno in that case, calling
seteuid32() would return errno as set by lsaauth(), i.e. EACCES, not
in agreement w/ Posix (a bug which was present for years).
(lsaauth() called LsaRegisterLogonProcess() which would fail)
2019-03-27 17:12:43 +01:00
Corinna Vinschen ad49232083 Revert "Cygwin: load_user_profile: temporarily extend debug output"
This reverts commit 6aef5a46d7.
2019-03-04 17:31:34 +01:00
Corinna Vinschen 5c4ce731ac Cygwin: Revert attempting to unload user profile after use
Revert "Cywin: user profile: unload impersonation user profile on exit"
Revert "Cygwin: seteuid: allow inheriting impersonation user profile handle"
Revert "Cygwin: user profile: add debug output to unload_user_profile"
Revert "Cygwin: user profile: Make an effort to unload unused user profiles"

This reverts commit bcb33dc4f0.
This reverts commit dd3730ed9c.
This reverts commit 8eee25241e.
This reverts commit 71b8777a71.

This patchset actually results in the following problem:

- After a couple of ssh logon/logoff attempts, an interactive session
  of the same user loging in, is broken.

Apparently UnloadUserProfile manages to unload the user's profile
even while a parallel interactive session still uses the user's
profile.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-03-04 17:31:27 +01:00
Corinna Vinschen 4abac62193 Cygwin: load_user_profile: Don't give primary domain to ldap
If the user domain is the primary domain, LDAP is supposed to
use the default naming context.  This is accomplished by setting
domain name to NULL in the call to cyg_ldap::fetch_ad_account.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-03-02 12:47:54 +01:00
Corinna Vinschen 166913fb23 Cygwin: authentication: Always initialize domain info
...before calling any of its method.  It's no safe bet that
it's already initialized when calling s4uauth and adding it
to load_user_profile certainly doesn't hurt.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-03-01 21:08:44 +01:00
Corinna Vinschen bffd21ad80 Cygwin: load_user_profile: use local pointer when appropriate
dnsdomain does not have to be a copy of the domain, a pointer into
cygheap is sufficient.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-03-01 21:08:44 +01:00
Corinna Vinschen 7ba9d12a72 Cygwin: load_user_profile: fix use-after-free issue
In case of a local machine account login, pi.lpProfilePath points
to the buffer returned by NetUserGetInfo, but NetApiBufferFree
is called prior to calling LoadUserProfileW.  Fix by copying over
usri3_profile to the local userpath buffer, just as in the AD case.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-03-01 21:08:44 +01:00
Corinna Vinschen 6aef5a46d7 Cygwin: load_user_profile: temporarily extend debug output
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-03-01 16:05:33 +01:00
Corinna Vinschen f18a161cff Cygwin: s4uauth: drop fallback to MsV1_0 if Kerberos fails
This never really worked.  While at it, restructure code to
do common stuff only in one spot.  Improve debug output.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-03-01 16:04:51 +01:00
Corinna Vinschen 5d9ac1291d Cygwin: load_user_profile: chack if we got a valid, known domainname
...otherwise we may suffer a SEGV because dnsdomain is NULL.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-28 23:17:55 +01:00
Corinna Vinschen 8eee25241e Cygwin: user profile: add debug output to unload_user_profile
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-23 20:46:48 +01:00
Corinna Vinschen 71b8777a71 Cygwin: user profile: Make an effort to unload unused user profiles
Does this work?  There's not much feedback given.

TODO: We might want to try unloading the user profile at process
exit as well, FWIW.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-23 17:30:44 +01:00
Corinna Vinschen 322ab51659 Cygwin: user profile: fetch roaming profile path via LDAP
Commit 649911fb40 avoids the
calls to NetUserGetGroups and NetUserGetLocalGroups since
these can take a lot of time.  The same problem potentially
occurs when loading the user profile.  The code fetches
the roaming profile path calling NetUserGetInfo, which also
can be rather slow.

To avoid this problem, fetch the profile patch using LDAP.
Also, don't bail out early if the user's registry hive already
exists.  This may result in outdated information.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-23 17:22:44 +01:00
Corinna Vinschen 649911fb40 Cygwin: get_user_groups: fetch a user's group list from identification token
NetUserGetGroups and NetUserGetLocalGroups sometimes take a lot of time
(up to more than 2 mins) for no apparent reason.

Call s4uauth to generate an identification token for the user and fetch
the group list from there.  This is *much* faster.

Keep the old code only for the sake of WOW64 on Vista and Windows 7,
which don't implement MsV1_0S4ULogon.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-22 21:58:51 +01:00
Corinna Vinschen 105fbdebdd Cygwin: s4uauth: allow to be called for identification only
s4uath was only callable to create an impersonation token so
far.  Rework the function to allow creating an identification
token for informational purposes even from untrusted processes.

Take domainname and username instead of a passwd pointer to be
more multi-purpose.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-22 21:58:51 +01:00
Corinna Vinschen 82c2cf6abc Cygwin: drop unused parameter from get_user_local_groups
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-22 21:58:51 +01:00
Corinna Vinschen 14e2268853 Cygwin: fetch local groups from local machine
...even for domain accounts, otherwise local group membership is ignored.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-22 00:13:57 +01:00
Corinna Vinschen 30782f7de4 Cygwin: s4uauth: convert token to primary token
Up to Vista CreateProcessAsUser only worked with primary tokens,
so convert S4U impersonation token to primary token.  MSDN still
documents it that way, but actually an impersonation token is
sufficient since Windows 7.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-18 21:45:34 +01:00
Corinna Vinschen e53373bbdb Cygwin: re-enable create_token for older systems
Under WOW64 on 64 bit Windows 7, MsV1_0S4ULogon appears to be
unimplemented, probably under Vista as well.  Re-enable
create_token method, to allow basic seteuid on W7 WOW64 and
Vista as well.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-18 21:00:59 +01:00
Corinna Vinschen a96d68c5bd Cygwin: s4uauth: make sure to fetch correct package id
for domain accounts we try KerbS4ULogon first, MsV1_0S4ULogon
second.  But we only fetch the package id for the supporting
authentication package (Kerberos/MsV1_0) once at the start.

Duplicate LsaLookupAuthenticationPackage call and move into the
Kerb/MsV1_0 branches so that it fetches the correct package id
for the method we call next.

Curious enough this worked before.  Apparently both methods
work with the MICROSOFT_KERBEROS_NAME_A package id.  However,
requesting and using the right authentication package id is
the prudent thing to do.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-18 17:59:56 +01:00
Corinna Vinschen 2741dd0550 Cygwin: seteuid: disable unused funcs and lsaauth subdir
If S4U proves to be usable alone, remove this code entirely.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-28 10:24:18 +01:00
Corinna Vinschen 0fb497165f Cygwin: seteuid: use Kerberos/MsV1_0 S4U authentication by default
- This simple and official method replaces cyglsa and "create token"
  methods.  No network share access, same as before.

- lsaauth and create_token are disabled now.  If problems crop up,
  they can be easily reactivated.  If no problems crop up, they
  can be removed in a while, together with the lsaauth subdir.

- Bump Cygwin version to 3.0.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-26 19:41:03 +01:00
Corinna Vinschen 0e3fd33321 Cygwin: create_token: Return NULL, not INVALID_HANDLE_VALUE
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-26 12:42:38 +01:00
Corinna Vinschen c524a915a5 Cygwin: lsaauth: Drop outdated test for loading Secur32.dll
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-26 12:42:37 +01:00
Corinna Vinschen 02373d8bec Cygwin: seteuid: work with password-less user switch as well
The previous patch failed with password-less auth because in
that case the return code from get_server_groups wasn't tested.
Fix that.  Also make sure that get_server_groups does not
check if the account is disabled or locked out when just fetching
the group list for initgroups or getgrouplist.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-24 21:20:09 +01:00
Corinna Vinschen 2c12a2c32a Cygwin: seteuid: refuse changing uid to disabled or locked out user
So far seteuid could change uid to any existing account, given
sufficient permissions of the caller.  This is kind of bad since
it disallows admins to refuse login to disabled or locked out
accounts.

Add check for the account's UF_ACCOUNTDISABLE or UF_LOCKOUT flags
and don't let the user in, if one of the flags is set.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-01-24 16:24:35 +01:00
Corinna Vinschen 838cfa352c Don't free statically allocated sys_privs
commit 67fd2101 introduced a bad bug.  Changing sys_privs to a static
area and just returning a pointer is nice... *if* the calling code doesn't
call free() on it.  Make sure callers check pointer for sys_privs and
refrain from calling free, if so.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2017-01-09 14:02:19 +01:00
Corinna Vinschen 40668dcc7c Add length check creating domain\group strings
Fix Coverity CID 153932

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-11-24 10:40:14 +01:00
Corinna Vinschen 00e9bf2bb3 Fix various OS-related comments
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-06-24 23:32:39 +02:00
Corinna Vinschen ecea753689 sec_auth.cc: Drop prototype for CreateProfile, don't expect failed autoload 2016-06-24 22:49:18 +02:00
Corinna Vinschen 67fd2101ab Drop max_sys_priv wincap
Convert sys_privs to const struct with TOKEN_PRIVILEGES layout.
Drop function get_system_priv_list.  Just use pointer to sys_privs.

Dropping max_sys_priv from wincaps requires to make sure that the
bitfield is 8 byte aligned on x86_64, otherwise gcc (5.3 only?)
apparently breaks access to the bitfield (off by 4 bytes).

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-06-24 21:00:04 +02:00
Corinna Vinschen aacc4f63d0 Drop has_mandatory_integrity_control flag 2016-06-23 22:21:23 +02:00
Corinna Vinschen 6e623e9320 Switching the Cygwin DLL to LGPLv3+, dropping commercial buyout option
Bump GPLv2+ to GPLv3+ for some files, clarify BSD 2-clause.

Everything else stays under GPLv3+.

New Linking Exception exempts resulting executables from LGPLv3 section 4.

Add CONTRIBUTORS file to keep track of licensing.

Remove 'Copyright Red Hat Inc' comments.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-06-23 10:09:17 +02:00
Corinna Vinschen 155a1ec5fb Allocate temporary TOKEN_GROUP arrays using TLS
A user token can be up to 64K in size.  The group list might take a lot
of that so use tmp_pathbuf allocated space rather than stack space
allocted via alloca.  In create_token the TOKEN_GROUP was allocated via
malloc, but the code is needlessly complicated.  Simplify by using
tmp_pathbuf as well.

	* sec_auth.cc (verify_token): Allocate TOKEN_GROUP via tmp_pathbuf.
	(create_token): Ditto.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-03-23 17:40:24 +01:00
Corinna Vinschen 205862ed08 setuid: Create token from scratch without credentials of caller
* sec_auth.cc (get_token_group_sidlist): Drop auth_luid and
	auth_pos parameter.  Remove code adding a logon SID.
	(get_initgroups_sidlist): Drop auth_luid and auth_pos parameter.
	Drop in call to get_token_group_sidlist. Accommodate in callers.
	(get_setgroups_sidlist): Ditto.
	(create_token): Explicitely set auth_luid to ANONYMOUS_LOGON_LUID
	or LOCALSERVICE_LUID depending on OS.  Explain why.
	Remove handling of logon SID since we don't generate one anymore.
	(lsaauth): Drop now unused local variable auth_luid and auth_pos.
	* wincap.h (wincaps::has_broken_whoami): New element.
	* wincap.cc: Implement above element throughout.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-02-18 11:22:12 +01:00
Corinna Vinschen b5c80f5a59 cygwin_logon_user: Return non-privileged token as well
If the calling process doesn't have sufficient privileges to
	fetch the linked token of an admin-user token, cygwin_logon_user
	fails.  This patch changes that by returning the original,
	unprivileged token of the admin user to allow authentication
	and calling setuid for the current process.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-01-21 18:32:16 +01:00
Corinna Vinschen d44ec01ea1 Fix formatting in sec_auth.cc
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-01-21 18:27:05 +01:00
Corinna Vinschen 4a9636b1d6
Implmenet faster getfrompw/getfromgr
* grp.cc (pwdgrp::parse_group): Call cygsid::getfromgr_passwd.
	* passwd.cc (pwdgrp::parse_passwd): Call cygsid::getfrompw_gecos.
	* pwdgrp.h (cygsid::getfrompw): Implement as inline method here,
	accessing pg_pwd's sid member directly.
	(cygsid::getfromgr): Implement as inline method here, accessing
	pg_grp's sid member directly.
	* sec_auth.cc (extract_nt_dom_user): Call cygsid::getfrompw_gecos.
	Explain why.
	* sec_helper.cc (cygsid::getfrompw): Drop implementation.
	(cygsid::getfromgr): Ditto.
	* security.h (cygsid::getfrompw_gecos): Implement former getfrompw
	inline here.
	(cygsid::getfromgr_passwd): Implement former getfromgr inline here.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-03-18 17:15:27 +01:00
Corinna Vinschen 1d91d469ee
Drop unneeded passwd argument from security functions
* sec_auth.cc (get_server_groups): Drop unused passwd argument.  Adjust
	calls throughout.
	(get_initgroups_sidlist): Ditto.
	(get_setgroups_sidlist): Ditto.
	(create_token): Ditto.
	(lsaauth): Ditto.
	* security.h (create_token): Adjust prototype to above change.
	(lsaauth): Ditto.
	(get_server_groups): Ditto.
	* grp.cc (get_groups): Adjust call to get_server_groups.
	* syscalls.cc (seteuid32): Adjust calls to lsaauth and create_token.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-03-18 16:54:19 +01:00
Corinna Vinschen 37e87b843f * common.din (issetugid): Export.
* glob.cc (issetugid): Drop macro.
	* sec_auth.cc (issetugid): New exported function.
	* include/cygwin/version.h (CYGWIN_VERSION_API_MINOR): Bump.
2015-03-03 12:58:34 +00:00
Corinna Vinschen f485f16276 * sec_auth.cc (get_logon_server): Constify domain parameter.
* security.h (get_logon_server): Same in prototype.
2015-01-21 16:31:38 +00:00
Corinna Vinschen 41f77e25f1 * autoload.cc (CreateProfile): Import.
(LoadUserProfileW): Import.
	* registry.cc (get_registry_hive_path): Move to sec_auth.cc.
	(load_registry_hive): Remove.
	* registry.h (get_registry_hive_path): Drop declaration.
	(load_registry_hive): Ditto.
	* sec_auth.cc (get_user_profile_directory): Moved from registry.cc and
	renamed.  Take third parameter with buffer length.
	(load_user_profile): New function taking over for load_registry_hive.
	Use official functions to load profile.  If profile is missing, create
	it on Vista and later.
	* security.h (get_user_profile_directory): Declare.
	(load_user_profile): Declare.
	* syscalls.cc (seteuid32): Replace call to load_registry_hive with call
	to load_user_profile.
	* uinfo.cc (cygheap_user::env_userprofile): Replace call to
	get_registry_hive_path with call to get_user_profile_directory.
2014-12-02 10:49:47 +00:00
Corinna Vinschen adc07b999f * sec_auth.cc (str2lsa): Remove.
(str2buf2lsa): Remove.
	(lsaauth): Call RtlInitAnsiString instead of str2lsa and str2buf2lsa.
2014-12-02 10:04:53 +00:00
Corinna Vinschen 51521b2a6e * sec_auth.cc (get_user_groups): Remove experimental exception handler
added 2014-09-05.
	(get_user_local_groups): Ditto.
2014-10-21 19:17:09 +00:00
Corinna Vinschen bea3ef947a * exception.h (class exception): Remove unnecessary #ifdef.
* uinfo.cc (client_request_pwdgrp::client_request_pwdgrp): Fix length
	counter to include trailing NUL.

	* sec_auth.cc (get_user_groups): Add experimental exception handler.
	(get_user_local_groups): Ditto.
2014-09-05 11:47:33 +00:00
Corinna Vinschen de13ccea73 * sec_auth.cc (get_server_groups): Call get_user_local_groups only if
get_logon_server succeeded.
2014-05-22 16:40:13 +00:00
Corinna Vinschen 51a895f86d * scandir.cc (scandir): Assume namelist is always valid, per POSIX.
(CID 60021).
	* sec_auth.cc (cygwin_logon_user): Securely erase password copy.
	(lsaprivkeyauth): Avoid trying to dereference data if no key is stored
	in the registry (CID 60122).  Securely erase passwords after usage.
2014-05-20 10:21:34 +00:00
Corinna Vinschen 6506454fb3 * sec_auth.cc (get_server_groups): Call get_logon_server only for
non-builtin accounts.
	* uinfo.cc (pwdgrp::fetch_account_from_windows): Check incoming
	account name for validity in terms of the current name prefixing rules
	and refuse invalid names.
2014-05-14 11:27:47 +00:00
Corinna Vinschen fc3a3524b2 * security.h (MAX_SUBAUTH_CNT): Drop. Use SID_MAX_SUB_AUTHORITIES
instead throughout.
	(MAX_SID_LEN): Drop.  Use SECURITY_MAX_SID_SIZE instead throughout.
2014-05-06 12:28:33 +00:00
Corinna Vinschen 58cc7a6498 * sec_auth.cc (create_token): Initialize lsa handle to NULL, rather than
to INVALID_HANDLE_VALUE.
	(lsaauth): Ditto.
	(lsaprivkeyauth): Ditto.
	* setlsapwd.cc (setlsapwd): Don't initialize lsa handle.
2014-03-28 20:34:04 +00:00