This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: PATCH: login under privileged user != SYSTEM

On Apr 18 04:32, Charles Wilson wrote:
> Corinna Vinschen wrote:
>> Cool, thanks!  Would you mind to take over login maintainance, too?  It
>> was always just the wagging tail of inetutils anyway...
> Sure.

Thank you!  Igor?  Can we get another gold star for Charles?

>> - I wouldn't do the automatic yes for uid 18 anymore.  Even for NT/2K/XP
>>   it would be more correct to check if the current account running the
>                                              ^^^^^^^^^^^^^^^^^^^^^^^
>>   process is the one with SID S-1-5-18.  
> But that's not exactly what you want, here. Sometimes, login.c does
>   isROOTUID(getuid())
> which could be replaced as you suggest. But *most* of the time, login.c 
> does
>   isROOTUID(pw->pw_uid)
> before it has actually switched to that user.
> And saying that isROOTUID(uid) ==
>   {
>     setuid(pw->pw_uid);
>     isCurrentProcessRunningAsROOT();
>     setuid(saved_uid);
>   }
> is overkill -- especially as I want "isROOTUID(uid)" to work even if the 
> current user does NOT have the privileges needed for setuid() to work.

That makes sense.

> ==== aside:
> And I wish I could have figured out how to make 
> uidIsMemberOfLocalAdmin(uid_t uid), but if uid != current user it's really 
> hard to get the either (a) the list of groups a particular user is a member 
> of, or (b) the list of users that are members of a particular group.  Since 
> I already have a make-SID-from-uid method, if I had (a) I could iterate 
> that list trying to match the local Administrators SID, or if I had (b) I 
> could iterate through the list and compare to my SID-from-uid.
> I know there is NetUserGetLocalGroups, but what if the user is a member of 
> a global group, and the local security policy makes that global group a 
> member of the (local) Administrators group? With the multi-level inclusion 
> of groups, it's almost easier to go the other way: get the local 
> administrator group, and use (recursively) NetLocalGroupGetMembers and 
> NetGroupGetUsers to build a list of all users that are (directly or by 
> inclusion) members of the (local) Administrators group -- and THEN iterate 
> that to see if any of them match SID-from-uid.
> But neither is easy.
> ==== end aside

Yes, I agree wholeheartedly.  The handling of users and groups is
really complicated and you're coding your brain out of your head just
to *get* the information and tyhen you still have to test.  It's
really not funny how much code you need to fetch certain types of

> So, I'm still not checking that the uid specified is a member of the local 
> Administrators group.
> I did discover one awkward thing: in my make-SID-from-uid function, I do 
> the following
> 1. get struct passwd* for uid
> 2. cygwin_internal(CW_EXTRACT_DOMAIN_AND_USER, pw, domain, name);
> 3. get the servername for the domain by using either
>    DsGetDcName or NetGetDCName
> 4. use NetUserGetInfo to get a PUSER_INFO_3 structure
>    (if domain user, and call fails, try again locally...)
> 5. use LookupAccountName to get the SID
>    (if basic call fails and returned account type is SidTypeDomain,
>    try again after adding domain spec to username)
> However, if uid = 18 it turns out that NetUserGetInfo(...., 
> toUnicode("LocalSystem"),...) always fails. I even tested that proposition 
> in a quick test app. It just doesn't work.

As for an account being Administrator, and apart from special accounts

What about just checking the value of PUSER_INFO_3->usri3_priv?  It may
contain the value USER_PRIV_ADMIN.  That should be sufficient, afaics.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]