This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: security.cc: bug report, question and suggestion

From: Corinna Vinschen <cygwin at cygwin dot com>
To: "Pierre A. Humblet" <Pierre dot Humblet at ieee dot org>
Cc: cygwin <cygwin at cygwin dot com>
Date: Mon, 28 Jan 2002 10:40:04 +0100
Subject: Re: security.cc: bug report, question and suggestion
References: <3C4EFF65.FF7BA4DE@ieee.org> <20020123194126.H11608@cygbert.vinschen.de> <3C506701.A334DC8A@ieee.org> <20020124215729.J11608@cygbert.vinschen.de> <3C5079FB.BD4E6FD2@ieee.org> <20020125115542.Q11608@cygbert.vinschen.de> <3C51723E.4010F766@ieee.org> <20020125165851.W11608@cygbert.vinschen.de> <3C518B53.711B9391@ieee.org>

On Fri, Jan 25, 2002 at 11:44:03AM -0500, Pierre A. Humblet wrote:
> By the way, do you know why LookupAccountSid() returns different
> values when the sid is impersonated and when it isn't. Like:
> 
> In impersonated token created in a process launched by Phumblet
> /******************* Token User */
> PHumblet WIRELESS SidTypeUser                   <==== ?????
> S-1-5-21-2127391503-1594901184-99485923-1004    <==== impersonated sid
> 
> the (account) name PHumblet doesn't match the sid's username here.
> It would if the process was launched directly by the user
> (instead of being impersonated). 

I wrote about that problem already in earlier postings on this
list.  No, I don't know why that happens.  I assume it's due
to the fact that the created token is still running in the
logon session of the calling user.  The NT calls GetUserName()
and LookupAccountSid() seem to go a shortcut instead of really
looking for the values :-(
Actually it only happens in the impersonated and subsequent
processes.  Looking from the outside everything's ok, even in
the NT task manager.
I tried to get a description or something on the microsoft
mailing lists but I got no answer.

> Instead of debugging DuplicateTokenEx() it may be simpler (but
> less efficient) to set the sd DACL in seteuid(), after the
> call to ImpersonateLoggedOnUser(). That's essentially what
> my call is doing when NULLing the DACL (see previous mail).

You could test using the sec_user call at that point  before
I do it.  You have the testcase trying to access the registry
keys handy.

> It would also take care of the subauthentication case.
> I haven't looked at that at all.

It doesn't matter.  It works on W2K only.  That's the reason
I never announced it here but only on the cygwin-develoepers
list.  

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

References:
- Re: security.cc: bug report, question and suggestion
  - From: Pierre A. Humblet
- Re: security.cc: bug report, question and suggestion
  - From: Corinna Vinschen
- Re: security.cc: bug report, question and suggestion
  - From: Pierre A. Humblet
- Re: security.cc: bug report, question and suggestion
  - From: Corinna Vinschen
- Re: security.cc: bug report, question and suggestion
  - From: Pierre A. Humblet
- Re: security.cc: bug report, question and suggestion
  - From: Corinna Vinschen
- Re: security.cc: bug report, question and suggestion
  - From: Pierre A. Humblet
- Re: security.cc: bug report, question and suggestion
  - From: Corinna Vinschen
- Re: security.cc: bug report, question and suggestion
  - From: Pierre A. Humblet

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]