zontreck/wine
1
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine.git synced 2024-11-19 17:06:04 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

server: Inherit the source token's label in token_duplicate().

Browse source 
And assign it in token_create_admin().

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=56640
This commit is contained in:
Elizabeth Figura 2024-06-04 19:25:45 -05:00 committed by Alexandre Julliard
parent 524b431123
commit ed297ecba5
Notes: Alexandre Julliard 2024-06-06 23:31:15 +02:00 
Approved-by: Alexandre Julliard (@julliard)
Merge-Request: https://gitlab.winehq.org/wine/wine/-/merge_requests/5793
4 changed files with 37 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
dlls/advapi32/tests/security.c
View file

@ -7376,23 +7376,19 @@ static void test_token_security_descriptor(void)
defaulted = TRUE; defaulted = TRUE;
ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted); ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
ok(ret, "GetSecurityDescriptorDacl failed with error %lu\n", GetLastError()); ok(ret, "GetSecurityDescriptorDacl failed with error %lu\n", GetLastError());
todo_wine
ok(present, "DACL not present\n"); ok(present, "DACL not present\n");
if (present) ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
{ ok(!defaulted, "DACL defaulted\n");
ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
ok(!defaulted, "DACL defaulted\n");
index = 0; index = 0;
found = FALSE; found = FALSE;
while (GetAce(acl2, index++, (void **)&ace)) while (GetAce(acl2, index++, (void **)&ace))
{ {
if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid)) if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
found = TRUE; found = TRUE;
}
ok(!found, "Access allowed ACE was inherited\n");
} }
ok(!found, "Access allowed ACE was inherited\n");
free(sd2); free(sd2);

6
server/process.c
View file

@ -735,12 +735,6 @@ struct process *create_process( int fd, struct process *parent, unsigned int fla
if (!process->handles || !process->token) goto error; if (!process->handles || !process->token) goto error;
process->session_id = token_get_session_id( process->token ); process->session_id = token_get_session_id( process->token );
/* Assign a high security label to the token. The default would be medium
* but Wine provides admin access to all applications right now so high
* makes more sense for the time being. */
if (!token_assign_label( process->token, &high_label_sid ))
goto error;
set_fd_events( process->msg_fd, POLLIN ); /* start listening to events */ set_fd_events( process->msg_fd, POLLIN ); /* start listening to events */
return process; return process;

1
server/security.h
View file

@ -50,7 +50,6 @@ extern const struct sid local_system_sid;
extern const struct sid builtin_users_sid; extern const struct sid builtin_users_sid;
extern const struct sid builtin_admins_sid; extern const struct sid builtin_admins_sid;
extern const struct sid domain_users_sid; extern const struct sid domain_users_sid;
extern const struct sid high_label_sid;
struct ace struct ace
{ {

29
server/token.c
View file

@ -72,7 +72,6 @@ struct sid_attrs
const struct sid world_sid = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, { SECURITY_WORLD_RID } }; const struct sid world_sid = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, { SECURITY_WORLD_RID } };
const struct sid local_system_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SYSTEM_RID } }; const struct sid local_system_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SYSTEM_RID } };
const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } };
const struct sid local_user_sid = { SID_REVISION, 5, SECURITY_NT_AUTHORITY, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } }; const struct sid local_user_sid = { SID_REVISION, 5, SECURITY_NT_AUTHORITY, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } };
const struct sid builtin_admins_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } }; const struct sid builtin_admins_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
const struct sid builtin_users_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } }; const struct sid builtin_users_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
@ -82,6 +81,7 @@ static const struct sid local_sid = { SID_REVISION, 1, SECURITY_LOCAL_SID_AUTHOR
static const struct sid interactive_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_INTERACTIVE_RID } }; static const struct sid interactive_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_INTERACTIVE_RID } };
static const struct sid anonymous_logon_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_ANONYMOUS_LOGON_RID } }; static const struct sid anonymous_logon_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_ANONYMOUS_LOGON_RID } };
static const struct sid authenticated_user_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_AUTHENTICATED_USER_RID } }; static const struct sid authenticated_user_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_AUTHENTICATED_USER_RID } };
static const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } };
static struct luid prev_luid_value = { 1000, 0 }; static struct luid prev_luid_value = { 1000, 0 };
@ -649,6 +649,24 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION ); DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
if (src_token->obj.sd)
{
const struct acl *sacl;
const struct ace *ace;
unsigned int i;
int present;
sacl = sd_get_sacl( src_token->obj.sd, &present );
if (present)
{
for (i = 0, ace = ace_first( sacl ); i < sacl->count; i++, ace = ace_next( ace ))
{
if (ace->type != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
token_assign_label( token, (const struct sid *)(ace + 1) );
}
}
}
return token; return token;
} }
@ -785,6 +803,15 @@ struct token *token_create_admin( unsigned primary, int impersonation_level, int
/* we really need a primary group */ /* we really need a primary group */
assert( token->primary_group ); assert( token->primary_group );
/* Assign a high security label to the token. The default would be medium
* but Wine provides admin access to all applications right now so high
* makes more sense for the time being. */
if (!token_assign_label( token, &high_label_sid ))
{
release_object( token );
return NULL;
}
free( default_dacl ); free( default_dacl );
return token; return token;
} }