This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: security.cc: bug report, question and suggestion


At 06:38 PM 12/30/01 +0100, Corinna Vinschen wrote:
>On Sun, Dec 30, 2001 at 11:26:15AM -0500, Pierre A. Humblet wrote:
>> At 11:15 PM 12/29/01 +0100, Corinna Vinschen wrote:

>> While I am at it, here is another weird observation:
>> base case above: prog reads some registry key. Succeeds.
>> cases 1 and 2: prog reads some registry key. Access denied.
>> But if xxx has admins privilege, prog can read the registry in 
>> cases 1 and 2...
>> Can this be explained somehow? It's all on a standalone Win2000.
>
>Hmm, some debgging would help here, perhaps.
>
Hi Corinna

Well, I had to learn a few things to track this one.
Please cc me directly. Sorry about the length. 
What follows was observed on NT 4, it's somewhat 
different on Windows 2000.
The keys are related to the perflib, e.g.
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\009"
and others.

Initially I thought that the error 5 ERROR_ACCESS_DENIED
meant that, following setuid(), the user did not have
query access to the key, even though he could open it
without problems. This guess was wrong.

The real problem is that following setuid(), the ACL (not default 
ACL) of the impersonation token (which is inherited from the
default ACL of the process token) makes the impersonation
token non-accessible by its user
(normally the user has full access to its token,
and it seems that setuid() should preserve that).
ERROR_ACCESS_DENIED is thus generated when some Microsoft
code tries to access the token while getting the key.

This is demonstrated in the debug.out attachment where I print 
the impersonation token, try to access the key (fail), 
then clear the token ACL and succeed reading the key.

I tried to patch security.cc, without success.
In the attached diff file I set an acl (actually I
reuse your default ACL) in a security descriptor "sd".
sd is pointed to by your security attribute "sa", which
is passed to DuplicateTokenEx() in create_token(). 
I also added a new call to SetKernelObjectSecurity(),
for good measure.
This runs without errors, but nothing happens.
I have no idea why. Any help or suggestions will be 
appreciated.

Here are four other things I noticed:

1) If setuid(gid) with a gid that doesn't exist, the
system silently sets the gid to "administrators". That
is not fail safe! 
The problem is that getgrgid() never fails. It should
have a flag to tell it whether it should default or not. 
[The default is fine when specifying a SET_ACCESS ACE]

2) my_token isn't closed in create_token()

3) Why is it necessary to set the PrimaryGroup in the
process token in setegid()? (That can fail silently).
Is that field ever read? I thought that PrimaryGroup 
only needs to be set in impersonation tokens, so that 
seteuid() can decide if an existing token can be
reused.

4) If in "cygrunsrv -u user ..."  the Cygwin and Windows 
user names differ, then the process will have the wrong
uid.

Entry in passwd (note Cygwin name != Windows name)
exim:unused_by_nt/2000/xp:1002:1005:daemon,U-PHumblet\Mail,S-1-5-21-21273915
03-1594901184-99485923-1002:/h
ome/Mail:/bin/bash

/> cygrunsrv -I test -u mail -e CYGWIN=ntsec -p /a.exe
Enter password of user `.\mail': 
Reenter, please: 
/> cygrunsrv -S test
/> head /var/log/test.log
CYGWIN = ntsec USERNAME = UNDEF UID = 500 GID = 513 PID = 619
<==INCORRECT UID/GID
/******************* Token Start ****************************/
/******************* Token User */  
Mail PHumblet SidTypeUser                           <=== CORRECT USER
S-1-5-21-2127391503-1594901184-99485923-1002        <=== CORRECT SID
 
Changed entry in passwd
mail:unused_by_nt/2000/xp:1002:1005:daemon,U-PHumblet\Mail,S-1-5-21-21273915
03-1594901184-99485923-1002:/home/Mail:/bin/bash

/> cygrunsrv -S test
/> head /var/log/test.log
CYGWIN = ntsec USERNAME = UNDEF UID = 1002 GID = 1005 PID = 654 <==
EVERYTHING OK
/******************* Token Start ****************************/
/******************* Token User */
Mail PHumblet SidTypeUser
S-1-5-21-2127391503-1594901184-99485923-1002


Pierre

Attachment: security.diff
Description: Text document

Attachment: debug.out
Description: Text document

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]