- (bal) Allow sshd to switch user context without password for Cygwin.

Patch by Corinna Vinschen <vinschen@redhat.com>
author: Ben Lindstrom <mouring@eviladmin.org> 2001-07-18 16:19:48 +0000
committer: Ben Lindstrom <mouring@eviladmin.org> 2001-07-18 16:19:48 +0000
commit: cff94beb65f9196b213a17c9fac5fb91f3b6078a (patch)
tree: d2b6153cc09001a2d627984f1d108f982375b2ec /openbsd-compat/bsd-cygwin_util.c
parent: 0dd676a26beb382d22ccb51090f067a4481ea014 (diff)
1 files changed, 35 insertions, 12 deletions
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 36f13e3f0..87f36c0cb 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -15,16 +15,20 @@
 #include "includes.h"
-RCSID("$Id: bsd-cygwin_util.c,v 1.4 2001/04/13 14:28:42 djm Exp $");
+RCSID("$Id: bsd-cygwin_util.c,v 1.5 2001/07/18 16:19:49 mouring Exp $");
 #ifdef HAVE_CYGWIN
 #include <fcntl.h>
 #include <stdlib.h>
+#include <sys/utsname.h>
 #include <sys/vfs.h>
 #include <windows.h>
 #define is_winnt       (GetVersion() < 0x80000000)
+#define ntsec_on(c)     ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
+#define ntea_on(c)      ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
 #if defined(open) && open == binary_open
 # undef open
 #endif
@@ -61,12 +65,34 @@ int check_nt_auth(int pwd_authenticated, uid_t uid)
        * context on NT systems is the password authentication. So
        * we deny all requsts for changing the user context if another
        * authentication method is used.
-        * This may change in future when a special openssh
+        *
-        * subauthentication package is available.
+        * This doesn't apply to Cygwin versions >= 1.3.2 anymore which
+        * uses the undocumented NtCreateToken() call to create a user
+        * token if the process has the appropriate privileges and if
+        * CYGWIN ntsec setting is on.
        */
-        if (is_winnt && !pwd_authenticated && geteuid() != uid)
+        static int has_create_token = -1;
-                return 0;
-        
+        if (is_winnt) {
+                if (has_create_token < 0) {
+                        struct utsname uts;
+                        int major_high = 0, major_low = 0, minor = 0;
+                        char *cygwin = getenv("CYGWIN");
+                        has_create_token = 0;
+                        if (ntsec_on(cygwin) && !uname(&uts)) {
+                                sscanf(uts.release, "%d.%d.%d",
+                                       &major_high, &major_low, &minor);
+                                if (major_high > 1 ||
+                                    (major_high == 1 && (major_low > 3 ||
+                                     (major_low == 3 && minor >= 2))))
+                                        has_create_token = 1;
+                        }
+                }
+                if (has_create_token < 1 &&
+                    !pwd_authenticated && geteuid() != uid)
+                        return 0;
+        }
        return 1;
 }
@@ -82,12 +108,9 @@ int check_ntsec(const char *filename)
                return 0;
        /* Evaluate current CYGWIN settings. */
-        if ((cygwin = getenv("CYGWIN")) != NULL) {
+        cygwin = getenv("CYGWIN");
-                if (strstr(cygwin, "ntea") && !strstr(cygwin, "nontea"))
+        allow_ntea = ntea_on(cygwin);
-                        allow_ntea = 1;
+        allow_ntsec = ntsec_on(cygwin);
-                if (strstr(cygwin, "ntsec") && !strstr(cygwin, "nontsec"))
-                        allow_ntsec = 1;
-        }
        /*
         * `ntea' is an emulation of POSIX attributes. It doesn't support
author	Ben Lindstrom <mouring@eviladmin.org>	2001-07-18 16:19:48 +0000
committer	Ben Lindstrom <mouring@eviladmin.org>	2001-07-18 16:19:48 +0000
commit	cff94beb65f9196b213a17c9fac5fb91f3b6078a (patch)
tree	d2b6153cc09001a2d627984f1d108f982375b2ec /openbsd-compat/bsd-cygwin_util.c
parent	0dd676a26beb382d22ccb51090f067a4481ea014 (diff)

diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index 36f13e3f0..87f36c0cb 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c
@@ -15,16 +15,20 @@
15		15
16	#include "includes.h"	16	#include "includes.h"
17		17
18	RCSID("$Id: bsd-cygwin_util.c,v 1.4 2001/04/13 14:28:42 djm Exp $");	18	RCSID("$Id: bsd-cygwin_util.c,v 1.5 2001/07/18 16:19:49 mouring Exp $");
19		19
20	#ifdef HAVE_CYGWIN	20	#ifdef HAVE_CYGWIN
21		21
22	#include <fcntl.h>	22	#include <fcntl.h>
23	#include <stdlib.h>	23	#include <stdlib.h>
		24	#include <sys/utsname.h>
24	#include <sys/vfs.h>	25	#include <sys/vfs.h>
25	#include <windows.h>	26	#include <windows.h>
26	#define is_winnt (GetVersion() < 0x80000000)	27	#define is_winnt (GetVersion() < 0x80000000)
27		28
		29	#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
		30	#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
		31
28	#if defined(open) && open == binary_open	32	#if defined(open) && open == binary_open
29	# undef open	33	# undef open
30	#endif	34	#endif
@@ -61,12 +65,34 @@ int check_nt_auth(int pwd_authenticated, uid_t uid)
61	* context on NT systems is the password authentication. So	65	* context on NT systems is the password authentication. So
62	* we deny all requsts for changing the user context if another	66	* we deny all requsts for changing the user context if another
63	* authentication method is used.	67	* authentication method is used.
64	* This may change in future when a special openssh	68	*
65	* subauthentication package is available.	69	* This doesn't apply to Cygwin versions >= 1.3.2 anymore which
		70	* uses the undocumented NtCreateToken() call to create a user
		71	* token if the process has the appropriate privileges and if
		72	* CYGWIN ntsec setting is on.
66	*/	73	*/
67	if (is_winnt && !pwd_authenticated && geteuid() != uid)	74	static int has_create_token = -1;
68	return 0;	75
69		76	if (is_winnt) {
		77	if (has_create_token < 0) {
		78	struct utsname uts;
		79	int major_high = 0, major_low = 0, minor = 0;
		80	char *cygwin = getenv("CYGWIN");
		81
		82	has_create_token = 0;
		83	if (ntsec_on(cygwin) && !uname(&uts)) {
		84	sscanf(uts.release, "%d.%d.%d",
		85	&major_high, &major_low, &minor);
		86	if (major_high > 1 \|\|
		87	(major_high == 1 && (major_low > 3 \|\|
		88	(major_low == 3 && minor >= 2))))
		89	has_create_token = 1;
		90	}
		91	}
		92	if (has_create_token < 1 &&
		93	!pwd_authenticated && geteuid() != uid)
		94	return 0;
		95	}
70	return 1;	96	return 1;
71	}	97	}
72		98
@@ -82,12 +108,9 @@ int check_ntsec(const char *filename)
82	return 0;	108	return 0;
83		109
84	/* Evaluate current CYGWIN settings. */	110	/* Evaluate current CYGWIN settings. */
85	if ((cygwin = getenv("CYGWIN")) != NULL) {	111	cygwin = getenv("CYGWIN");
86	if (strstr(cygwin, "ntea") && !strstr(cygwin, "nontea"))	112	allow_ntea = ntea_on(cygwin);
87	allow_ntea = 1;	113	allow_ntsec = ntsec_on(cygwin);
88	if (strstr(cygwin, "ntsec") && !strstr(cygwin, "nontsec"))
89	allow_ntsec = 1;
90	}
91		114
92	/*	115	/*
93	* `ntea' is an emulation of POSIX attributes. It doesn't support	116	* `ntea' is an emulation of POSIX attributes. It doesn't support