This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Problems on accessing Windows network resources

From: Corinna Vinschen <vinschen at redhat dot com>
To: cygwin-developers at cygwin dot com
Date: Tue, 10 Jun 2003 19:00:45 +0200
Subject: Re: Problems on accessing Windows network resources
References: <3EE5F5DB.8321E4@ieee.org> <20030610155055.GA11640@cygbert.vinschen.de> <3EE60C4A.CEAE7765@ieee.org>
Reply-to: cygwin-developers at cygwin dot com

On Tue, Jun 10, 2003 at 12:50:18PM -0400, Pierre A. Humblet wrote:
> > I'm wondering if we can't simply make the assumption, that when the
> > application calls seteuid(orig_uid) just triggers a RevertToSelf()
> > and nothing else.  I don't know a case where the application reverts
> > to orig_uid to keep the group rights.  Do you know one?
> 
> I have met that case, for example when you send mail to SYSTEM with 
> exim (sending mail to root). There is at some point a token 
> with the pair (mail_gid, system_uid). 
> However we can add a test to detect that: if the application
> calls seteuid(orig_uid) AND there has not been a setegid call
> since the last seteuid(), then RevertToSelf.  

Somehow this seems to fit into the below description.  If the application
didin't call setegid() and seteuid(orig_sid), revert, else impersonate...
roughly spoken.

> We would have to change myself->gid to orig_gid as well, remember the
> one we had before the RevertToSelf, and switch back to it on the
> next seteuid.
> An advantage of this approach is that we never create an unnecessary
> token for the pair (user_gid, orig_uid).
>   
> > And the other way around, if the application provides a token with
> > cygwin_set_impersonation_token(), then that means, IMHO:
> > 
> > - The application calls setegid() with gid != token_primary_group_gid:
> > 
> >         trigger create_token in a later call to seteuid()
> > 
> > - The application calls setegid() with gid == token_primary_group_gid:
> > 
> >         Use token from cygwin_set_impersonation_token().
> > 
> > - The application doesn't call setegid():
> > 
> >         Ditto.
> > 
> > Case 3 is the interesting one.
> 
> I would modify it as follows: if the application doesn't call setegid(),
> and there is a saved_gid, use that gid (and the token that goes with
> the pair).

Ahm... what saved_gid?  I don't understand.

> I can still do that this evening.

Would be nice.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

Follow-Ups:
- Re: Problems on accessing Windows network resources
  - From: Pierre A. Humblet

References:
- Re: Problems on accessing Windows network resources
  - From: Pierre A. Humblet
- Re: Problems on accessing Windows network resources
  - From: Corinna Vinschen
- Re: Problems on accessing Windows network resources
  - From: Pierre A. Humblet

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]