This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: security.cc: bug report, question and suggestion


On Sun, Dec 30, 2001 at 11:26:15AM -0500, Pierre A. Humblet wrote:
> At 11:15 PM 12/29/01 +0100, Corinna Vinschen wrote:
> You are reading my mind! I tried it without being administrator.
> Now open_local_policy () goes OK but in get_priv_list ()
> calls to LsaEnumerateAccountRights() (that succeed with 
> administrators privilege) fail with "access denied" (although
> you do specify the correct access rights in open_local_policy() )
> get_priv_list () returns privs = NULL, resulting in failure.

But that's ok.  Only privileged accounts need to access the
account rights to create a token.  I've found the following
KB article:

"HOWTO: Manage User Privileges Programmatically in Windows NT (Q132958)"

> I am also mind boggled by the behavior of setuid() running
> under cygrunsrv.
> Base case: user xxx runs program "prog" from the shell without admin
>            (but with CREATE_TOKEN) privs. prog does setuid(y). 
>            That fails, which is consistent the previous paragraph.
> case 1: cygrunsrv -I ... -u xxx -p ...prog
>            setuid(y) fails, as expected.
> case 2: cygrunsrv -I .... -p ...prog
>            prog notices it is SYSTEM and setuid(xxx). That works as expected.
>            Now running as xxx, setuid(y) succeeds!
>            It looks like prog has inherited unexpected rights from SYSTEM...

Uh, that's a problem, perhaps.  The setuid() code is doing
the following currently:

    sid = getsid(uid)
    RevertToSelf();
    token = create_token(sid);
    ImpersonateLoggedOnUser(token);

Important here is the call to RevertToSelf() which always restores
all privileges of the original account who started the process.
This is only eliminated after an exec which substitutes the process
by a new process which is created using CreateProcessAsUser(token).

The privileged process will always keep it's privileges since it's
always able to "RevertToSelf".

> While I am at it, here is another weird observation:
> base case above: prog reads some registry key. Succeeds.
> cases 1 and 2: prog reads some registry key. Access denied.
> But if xxx has admins privilege, prog can read the registry in 
> cases 1 and 2...
> Can this be explained somehow? It's all on a standalone Win2000.

Hmm, some debgging would help here, perhaps.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]