This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: security.cc: bug report, question and suggestion


Corinna Vinschen wrote:

> That sounds weird, though.  It doesn't make sense.  The DACL
> for the token only sets the permissions for accessing the token
> and not for accessing other objects.
> 
> Hmm.
> 
> OTOH..., if the process can't access the token it doesn't know about
> it's own permissions.  But why should only accessing a registry key
> be affected and not accessing files?!?

I agree it doesn't make sense and it's all Microsoft's doing...

By the way, do you know why LookupAccountSid() returns different
values when the sid is impersonated and when it isn't. Like:

In impersonated token created in a process launched by Phumblet
/******************* Token User */
PHumblet WIRELESS SidTypeUser                   <==== ?????
S-1-5-21-2127391503-1594901184-99485923-1004    <==== impersonated sid

the (account) name PHumblet doesn't match the sid's username here.
It would if the process was launched directly by the user
(instead of being impersonated). 
> 
> The latter call is the one I added to the DuplicateTokenEx() call
> to create this sort of SA with five SIDs, the current user, the
> impersonated user (additional SID parameter), admins, system and
> creator_owner.

What you do is essentially the same as what I tried, except you
put the sa, sd and dacl in a contiguous memory buffer. My code
(which also didn't have any effects) was using pointers from sa to sd 
and from sd to the dacl (thus spread in 3 different memory blocks).

> And you say that this doesn't help at all?  Hmm, I will have to
> debug that further.  SIGH!

Instead of debugging DuplicateTokenEx() it may be simpler (but
less efficient) to set the sd DACL in seteuid(), after the
call to ImpersonateLoggedOnUser(). That's essentially what
my call is doing when NULLing the DACL (see previous mail).
It would also take care of the subauthentication case.
I haven't looked at that at all.

> 
> Could you send your minimal testcase, please?

Yes, but perhaps not before Monday.

Pierre

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]