[Patch] *** CreateFileMapping, Win32 error 5. Terminating.

Pierre A. Humblet pierre@phumblet.no-ip.org
Thu Oct 16 02:27:00 GMT 2003 

The background for this patch was just explained on the Cygwin
mailing list.

We must make sure that the user sid is present in the default 
DACL of impersonation tokens, internal as well as external.
Thus the place to do it is in seteuid32(), and it becomes useless
to create a default DACL in create_token.

Pierre
 

2003-10-15  Pierre Humblet  <pierre.humblet@ieee.org>

	* syscalls.cc (seteuid32): Always construct a default DACL including
	the new sid, Admins and SYSTEM and copy it to the new thread token.
	* security.cc (create_token): Use a NULL default DACL in NtCreateToken.
-------------- next part --------------
Index: security.cc
===================================================================
RCS file: /cvs/src/src/winsup/cygwin/security.cc,v
retrieving revision 1.153
diff -u -p -r1.153 security.cc
--- security.cc	25 Sep 2003 03:51:50 -0000	1.153
+++ security.cc	15 Oct 2003 22:14:49 -0000
@@ -815,8 +815,7 @@ create_token (cygsid &usersid, user_grou
   PTOKEN_PRIVILEGES privs = NULL;
   TOKEN_OWNER owner;
   TOKEN_PRIMARY_GROUP pgrp;
-  char acl_buf[MAX_DACL_LEN (5)];
-  TOKEN_DEFAULT_DACL dacl;
+  TOKEN_DEFAULT_DACL dacl = {};
   TOKEN_SOURCE source;
   TOKEN_STATISTICS stats;
   memcpy (source.SourceName, "Cygwin.1", 8);
@@ -904,13 +903,6 @@ create_token (cygsid &usersid, user_grou
   /* Retrieve list of privileges of that user. */
   if (!(privs = get_priv_list (lsa, usersid, tmp_gsids)))
     goto out;
-
-  /* Create default dacl. */
-  if (!sec_acl ((PACL) acl_buf, false, false,
-		tmp_gsids.contains (well_known_admins_sid) ?
-		well_known_admins_sid : usersid))
-    goto out;
-  dacl.DefaultDacl = (PACL) acl_buf;

   /* Let's be heroic... */
   ret = NtCreateToken (&token, TOKEN_ALL_ACCESS, &oa, TokenImpersonation,
Index: syscalls.cc
===================================================================
RCS file: /cvs/src/src/winsup/cygwin/syscalls.cc,v
retrieving revision 1.296
diff -u -p -r1.296 syscalls.cc
--- syscalls.cc	8 Oct 2003 09:17:08 -0000	1.296
+++ syscalls.cc	15 Oct 2003 22:14:53 -0000
@@ -2121,6 +2121,8 @@ seteuid32 (__uid32_t uid)
   HANDLE ptok, new_token = INVALID_HANDLE_VALUE;
   struct passwd * pw_new;
   BOOL token_is_internal, issamesid;
+  char dacl_buf[MAX_DACL_LEN (5)];
+  TOKEN_DEFAULT_DACL tdacl = {};

   pw_new = internal_getpwuid (uid);
   if (!wincap.has_security () && pw_new)
@@ -2161,18 +2163,13 @@ seteuid32 (__uid32_t uid)
   debug_printf ("Found token %d", new_token);

   /* Set process def dacl to allow access to impersonated token */
-  if (cygheap->user.current_token != new_token)
+  if (sec_acl ((PACL) dacl_buf, true, true, usersid))
     {
-      char dacl_buf[MAX_DACL_LEN (5)];
-      if (sec_acl ((PACL) dacl_buf, true, false, usersid))
-	{
-	  TOKEN_DEFAULT_DACL tdacl;
-	  tdacl.DefaultDacl = (PACL) dacl_buf;
-	  if (!SetTokenInformation (ptok, TokenDefaultDacl,
-				    &tdacl, sizeof dacl_buf))
-	    debug_printf ("SetTokenInformation"
-			  "(TokenDefaultDacl): %E");
-	}
+      tdacl.DefaultDacl = (PACL) dacl_buf;
+      if (!SetTokenInformation (ptok, TokenDefaultDacl,
+				&tdacl, sizeof dacl_buf))
+	debug_printf ("SetTokenInformation"
+		      "(TokenDefaultDacl): %E");
     }

   /* If no impersonation token is available, try to
@@ -2193,7 +2190,7 @@ seteuid32 (__uid32_t uid)
 	CloseHandle (cygheap->user.internal_token);
       cygheap->user.internal_token = new_token;
     }
-  else if (new_token != ptok)
+  if (new_token != ptok)
     {
       /* Avoid having HKCU use default user */
       load_registry_hive (usersid);
@@ -2204,11 +2201,15 @@ seteuid32 (__uid32_t uid)
 	debug_printf ("SetTokenInformation(user.token, "
 		      "TokenOwner): %E");
       /* Try setting primary group in token to current group */
-      if (!SetTokenInformation (new_token,
-				TokenPrimaryGroup,
+      if (!SetTokenInformation (new_token, TokenPrimaryGroup,
 				&groups.pgsid, sizeof (cygsid)))
 	debug_printf ("SetTokenInformation(user.token, "
 		      "TokenPrimaryGroup): %E");
+      /* Try setting default DACL */
+      if (tdacl.DefaultDacl
+	  && !SetTokenInformation (new_token, TokenDefaultDacl,
+				   &tdacl, sizeof (tdacl)))
+	debug_printf ("SetTokenInformation (TokenDefaultDacl): %E");
     }

   CloseHandle (ptok);

More information about the Cygwin-patches mailing list