[newlib-cygwin] Cygwin: s4uauth: convert token to primary token
Corinna Vinschen
corinna@sourceware.org
Mon Feb 18 20:46:00 GMT 2019
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=30782f7de4936bbc4c2e666cbaf587039c895fd3
commit 30782f7de4936bbc4c2e666cbaf587039c895fd3
Author: Corinna Vinschen <corinna@vinschen.de>
Date: Mon Feb 18 21:45:34 2019 +0100
Cygwin: s4uauth: convert token to primary token
Up to Vista CreateProcessAsUser only worked with primary tokens,
so convert S4U impersonation token to primary token. MSDN still
documents it that way, but actually an impersonation token is
sufficient since Windows 7.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diff:
---
winsup/cygwin/sec_auth.cc | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 316ae99..beff327 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -1556,6 +1556,8 @@ msv1_0_auth:
MSV1_0_S4U_LOGON *s4u_logon;
USHORT user_len, domain_len;
+ /* Per MSDN MsV1_0S4ULogon is not implemented on Vista, but surprisingly
+ it works. */
RtlInitAnsiString (&name, MSV1_0_PACKAGE_NAME);
status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
if (status != STATUS_SUCCESS)
@@ -1607,6 +1609,30 @@ out:
if (profile)
LsaFreeReturnBuffer (profile);
+ if (token)
+ {
+ /* Convert to primary token. Strictly speaking this is only
+ required on Vista/2008. CreateProcessAsUser also takes
+ impersonation tokens since Windows 7. */
+ HANDLE tmp_token;
+
+ if (DuplicateTokenEx (token, MAXIMUM_ALLOWED, &sec_none,
+ SecurityImpersonation, TokenPrimary, &tmp_token))
+ {
+ CloseHandle (token);
+ token = tmp_token;
+ }
+ else
+ {
+ __seterrno ();
+ debug_printf ("DuplicateTokenEx %E");
+ /* Make sure not to allow create_token. */
+ status = STATUS_INVALID_HANDLE;
+ CloseHandle (token);
+ token = NULL;
+ }
+ }
+
pop_self_privilege ();
ret_status = status;
return token;
More information about the Cygwin-cvs
mailing list