diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2015-12-15 14:58:52 +0100 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2016-06-23 22:21:23 +0200 |
| commit | aacc4f63d0f8d2d853e1834b27a13ac97ea1011b (patch) | |
| tree | 6a4290531d5dab2335c9703aba267d04a99f6b5a /winsup/cygwin/sec_auth.cc | |
| parent | 380b9affd1a9e9ac6a52642ee7fc098b404bda7e (diff) | |
| download | cygnal-aacc4f63d0f8d2d853e1834b27a13ac97ea1011b.tar.gz cygnal-aacc4f63d0f8d2d853e1834b27a13ac97ea1011b.tar.bz2 cygnal-aacc4f63d0f8d2d853e1834b27a13ac97ea1011b.zip | |
Drop has_mandatory_integrity_control flag
Diffstat (limited to 'winsup/cygwin/sec_auth.cc')
| -rw-r--r-- | winsup/cygwin/sec_auth.cc | 69 |
1 files changed, 31 insertions, 38 deletions
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index 853a07fad..e8d1d9138 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -45,39 +45,36 @@ issetugid (void) static HANDLE get_full_privileged_inheritable_token (HANDLE token) { - if (wincap.has_mandatory_integrity_control ()) + TOKEN_LINKED_TOKEN linked; + ULONG size; + + /* When fetching the linked token without TCB privs, then the linked + token is not a primary token, only an impersonation token, which is + not suitable for CreateProcessAsUser. Converting it to a primary + token using DuplicateTokenEx does NOT work for the linked token in + this case. So we have to switch on TCB privs to get a primary token. + This is generally performed in the calling functions. */ + if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken, + (PVOID) &linked, sizeof linked, + &size))) { - TOKEN_LINKED_TOKEN linked; - ULONG size; - - /* When fetching the linked token without TCB privs, then the linked - token is not a primary token, only an impersonation token, which is - not suitable for CreateProcessAsUser. Converting it to a primary - token using DuplicateTokenEx does NOT work for the linked token in - this case. So we have to switch on TCB privs to get a primary token. - This is generally performed in the calling functions. */ - if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken, - (PVOID) &linked, sizeof linked, - &size))) + debug_printf ("Linked Token: %p", linked.LinkedToken); + if (linked.LinkedToken) { - debug_printf ("Linked Token: %p", linked.LinkedToken); - if (linked.LinkedToken) + TOKEN_TYPE type; + + /* At this point we don't know if the user actually had TCB + privileges. Check if the linked token is a primary token. + If not, just return the original token. */ + if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken, + TokenType, (PVOID) &type, + sizeof type, &size)) + && type != TokenPrimary) + debug_printf ("Linked Token is not a primary token!"); + else { - TOKEN_TYPE type; - - /* At this point we don't know if the user actually had TCB - privileges. Check if the linked token is a primary token. - If not, just return the original token. */ - if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken, - TokenType, (PVOID) &type, - sizeof type, &size)) - && type != TokenPrimary) - debug_printf ("Linked Token is not a primary token!"); - else - { - CloseHandle (token); - token = linked.LinkedToken; - } + CloseHandle (token); + token = linked.LinkedToken; } } } @@ -972,14 +969,10 @@ create_token (cygsid &usersid, user_groups &new_groups) &mandatory_integrity_sid))) goto out; - /* On systems supporting Mandatory Integrity Control, add the MIC SID. */ - if (wincap.has_mandatory_integrity_control ()) - { - new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes = - SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED; - new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid - = mandatory_integrity_sid; - } + new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes = + SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED; + new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid + = mandatory_integrity_sid; /* Let's be heroic... */ status = NtCreateToken (&token, TOKEN_ALL_ACCESS, &oa, TokenImpersonation, |