summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--winsup/cygwin/release/2.12.03
-rw-r--r--winsup/cygwin/sec_auth.cc15
2 files changed, 18 insertions, 0 deletions
diff --git a/winsup/cygwin/release/2.12.0 b/winsup/cygwin/release/2.12.0
index 5835952ee..c2abc9329 100644
--- a/winsup/cygwin/release/2.12.0
+++ b/winsup/cygwin/release/2.12.0
@@ -81,3 +81,6 @@ Bug Fixes
- Fix thread names in GDB when cygthreads get reused.
- Fix return value of gethostname in a border case.
+
+- Disallow seteuid on disabled or locked out accounts.
+ Addresses: https://cygwin.com/ml/cygwin/2019-01/msg00197.html
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index d4c2701da..8fdfa3a86 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -553,6 +553,21 @@ get_server_groups (cygsidlist &grp_list, PSID usersid)
&& sid_sub_auth (usersid, 0) == SECURITY_NT_NON_UNIQUE
&& get_logon_server (domain, server, DS_IS_FLAT_NAME))
{
+ NET_API_STATUS napi_stat;
+ USER_INFO_1 *ui1;
+ bool allow_user = false;
+
+ napi_stat = NetUserGetInfo (server, user, 1, (LPBYTE *) &ui1);
+ if (napi_stat == NERR_Success)
+ allow_user = !(ui1->usri1_flags & (UF_ACCOUNTDISABLE | UF_LOCKOUT));
+ if (ui1)
+ NetApiBufferFree (ui1);
+ if (!allow_user)
+ {
+ debug_printf ("User denied: %W\\%W", domain, user);
+ set_errno (EACCES);
+ return false;
+ }
get_user_groups (server, grp_list, user, domain);
get_user_local_groups (server, domain, grp_list, user);
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-17 06:04:36 +0000