Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT cygwin DOT com>
List-Help: <mailto:cygwin-developers-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-developers AT cygwin DOT com
Date: Fri, 13 Dec 2002 12:50:04 +0100
From: Corinna Vinschen <vinschen AT redhat DOT com>
To: cygwin-developers AT cygwin DOT com
Subject: Re: Subauthentication
Message-ID: <20021213125004.O7796@cygbert.vinschen.de>
Reply-To: cygwin-developers AT cygwin DOT com
Mail-Followup-To: cygwin-developers AT cygwin DOT com
References: <3DF50D30 DOT AE8FA801 AT ieee DOT org> <NFBBLLCAILKHOEOHEFMHKEAGCEAA DOT hartmut_honisch AT web DOT de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <NFBBLLCAILKHOEOHEFMHKEAGCEAA.hartmut_honisch@web.de>
User-Agent: Mutt/1.3.22.1i

On Fri, Dec 13, 2002 at 11:55:46AM +0100, Hartmut Honisch wrote:
> Hi Pierre,
> 
> I think I found a way to make GetUserName return the correct user after
> impersonating a token created my NtCreateToken: The token needs a valid
> logon session id, one that is associated with the correct user.
> 
> As I mentioned, when logging on, Windows creates a new logon session, and
> LSA associates the username with that session.
> 
> And even though NtCreateToken allows to specify a TokenUser, It seems that
> when impersonating a token, Windows replaces the TokenUser by the user
> associated with the token's logon session id. And since create_token uses
> the active logon session associated with the _impersonating_ user, not the
> user to _be_ impersonated, TokenUser will contain the wrong user name after
> impersonating it.
> 
> So I successfully tried the following approch:
> - use subauthentication to create a new logon session for the new user
> - if the token is suitable (i.e. verify_token returns TRUE), use it for
> impersonation
> - if the token is not suitable(because of the setgid issues you explained to
> me), call create_token, but reuse the subauthentication token's logon
> session id in the new token.
> 
> I verified that with a token created by NtCreateToken (with the right logon
> session id of course), I'm able to impersonate and GetUserName /
> GetTokenInformation(...TokenUser...) will give me the correct user.

That sounds really interesting.  If we turn around the order in
seteuid again (first call subauth, if that fails create_token) we
could use that extra step as explained above to create a correct
logon token.  It's just important, that the current NTCreateToken
stuff still works as today if subauth is not installed.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.