Problems on accessing Windows network resources

Corinna Vinschen vinschen@redhat.com
Tue Jun 10 17:00:00 GMT 2003


On Tue, Jun 10, 2003 at 12:50:18PM -0400, Pierre A. Humblet wrote:
> > I'm wondering if we can't simply make the assumption, that when the
> > application calls seteuid(orig_uid) just triggers a RevertToSelf()
> > and nothing else.  I don't know a case where the application reverts
> > to orig_uid to keep the group rights.  Do you know one?
> 
> I have met that case, for example when you send mail to SYSTEM with 
> exim (sending mail to root). There is at some point a token 
> with the pair (mail_gid, system_uid). 
> However we can add a test to detect that: if the application
> calls seteuid(orig_uid) AND there has not been a setegid call
> since the last seteuid(), then RevertToSelf.  

Somehow this seems to fit into the below description.  If the application
didin't call setegid() and seteuid(orig_sid), revert, else impersonate...
roughly spoken.

> We would have to change myself->gid to orig_gid as well, remember the
> one we had before the RevertToSelf, and switch back to it on the
> next seteuid.
> An advantage of this approach is that we never create an unnecessary
> token for the pair (user_gid, orig_uid).
>   
> > And the other way around, if the application provides a token with
> > cygwin_set_impersonation_token(), then that means, IMHO:
> > 
> > - The application calls setegid() with gid != token_primary_group_gid:
> > 
> >         trigger create_token in a later call to seteuid()
> > 
> > - The application calls setegid() with gid == token_primary_group_gid:
> > 
> >         Use token from cygwin_set_impersonation_token().
> > 
> > - The application doesn't call setegid():
> > 
> >         Ditto.
> > 
> > Case 3 is the interesting one.
> 
> I would modify it as follows: if the application doesn't call setegid(),
> and there is a saved_gid, use that gid (and the token that goes with
> the pair).

Ahm... what saved_gid?  I don't understand.

> I can still do that this evening.

Would be nice.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.



More information about the Cygwin-developers mailing list