This is the mail archive of the cygwin-patches@cygwin.com mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [Patch] *** CreateFileMapping, Win32 error 5. Terminating.

Corinna Vinschen wrote:
> 
> On Wed, Oct 15, 2003 at 10:22:35PM -0400, Pierre A. Humblet wrote:
> > 2003-10-15  Pierre Humblet  <pierre.humblet@ieee.org>
> >
> >       * syscalls.cc (seteuid32): Always construct a default DACL including
> >       the new sid, Admins and SYSTEM and copy it to the new thread token.
> >       * security.cc (create_token): Use a NULL default DACL in NtCreateToken.
> 
> I assume you have tested it also with an external token, don't you?
> I'm a bit concerned that the code also tries to modify the external
> token.  Is that actually unavoidable?  Isn't the problem just a
> typical problem of a self-created token?
 
Yes it has been tested with an external token. We already touch the owner
and primary group of the external tokens, the dacl is just another item.

It's needed with external tokens to handle the following type of cases.
A user in the admins group telnets into the box, creating a file
mapping with access by admins and system, but not by his sid (without the
patch).
While he is logged in, some service (exim, proftp...) creates a 
setgroups(0, NULL) + seteuid() process. That process may not be able
the access the file mapping (without the patch).

Pierre
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]