2 files changed, 28 insertions, 13 deletions

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 962070994..7ccbbb12c 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,10 @@
+Wed May 23 17:45:00 2001  Corinna Vinschen <corinna@vinschen.de>
+
+	* syscalls.cc (seteuid): Restrict overriding external provided
+	user tokens to ntsec. Don't test external tokens for primary
+	group to evaluate if it should be overridden. Restrict creating
+	internal tokens to ntsec.
+
 Wed May 23 10:11:00 2001  Corinna Vinschen <corinna@vinschen.de>
 
 	* syscalls.cc (chown_worker): Don't check for ENOSYS.
diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc
index 6eb9ee1b2..a4252532f 100644
--- a/winsup/cygwin/syscalls.cc
+++ b/winsup/cygwin/syscalls.cc
@@ -1980,6 +1980,7 @@ seteuid (uid_t uid)
 	  DWORD siz;
 	  HANDLE sav_token = INVALID_HANDLE_VALUE;
 	  BOOL sav_impersonation;
+	  BOOL current_token_is_internal_token = FALSE;
 	  BOOL explicitely_created_token = FALSE;
 
 	  struct group *gr = getgrgid (myself->gid);
@@ -1988,9 +1989,10 @@ seteuid (uid_t uid)
 	  usersid.getfrompw (pw_new);
 	  pgrpsid.getfromgr (gr);
 
+	  /* Only when ntsec is ON! */
 	  /* Check if new user == user of impersonation token and
-	     - if available - new pgrp == pgrp of impersonation token. */
-	  if (cygheap->user.token != INVALID_HANDLE_VALUE)
+	     - if reasonable - new pgrp == pgrp of impersonation token. */
+	  if (allow_ntsec && cygheap->user.token != INVALID_HANDLE_VALUE)
 	    {
 	      if (!GetTokenInformation (cygheap->user.token, TokenUser,
 					&tok_usersid, sizeof tok_usersid, &siz))
@@ -2004,8 +2006,19 @@ seteuid (uid_t uid)
 		  debug_printf ("GetTokenInformation(): %E");
 		  tok_pgrpsid = NO_SID;
 		}
+	      /* Check if the current user token was internally created. */
+	      TOKEN_SOURCE ts;
+	      if (!GetTokenInformation (cygheap->user.token, TokenSource,
+					&ts, sizeof ts, &siz))
+		debug_printf ("GetTokenInformation(): %E");
+	      else if (!memcmp (ts.SourceName, "Cygwin.1", 8))
+		current_token_is_internal_token = TRUE;
 	      if ((usersid && tok_usersid && usersid != tok_usersid) ||
-	          (pgrpsid && tok_pgrpsid && pgrpsid != tok_pgrpsid))
+		  /* Check for pgrp only if current token is an internal
+		     token. Otherwise the external provided token is
+		     very likely overwritten here. */
+	          (current_token_is_internal_token &&
+		   pgrpsid && tok_pgrpsid && pgrpsid != tok_pgrpsid))
 		{
 		  /* If not, RevertToSelf and close old token. */
 		  debug_printf ("tsid != usersid");
@@ -2017,9 +2030,10 @@ seteuid (uid_t uid)
 		}
 	    }
 
+	  /* Only when ntsec is ON! */
 	  /* If no impersonation token is available, try to 
 	     authenticate using NtCreateToken() or subauthentication. */
-	  if (cygheap->user.token == INVALID_HANDLE_VALUE)
+	  if (allow_ntsec && cygheap->user.token == INVALID_HANDLE_VALUE)
 	    {
 	      HANDLE ptok = INVALID_HANDLE_VALUE;
 
@@ -2036,15 +2050,9 @@ seteuid (uid_t uid)
 	        {
 		  cygwin_set_impersonation_token (ptok);
 		  /* If sav_token was internally created, destroy it. */
-		  if (sav_token != INVALID_HANDLE_VALUE)
-		    {
-		      TOKEN_SOURCE ts;
-		      if (!GetTokenInformation (sav_token, TokenSource,
-		      				&ts, sizeof ts, &siz))
-			debug_printf ("GetTokenInformation(): %E");
-		      else if (!memcmp (ts.SourceName, "Cygwin.1", 8))
-		        CloseHandle (sav_token);
-		    }
+		  if (sav_token != INVALID_HANDLE_VALUE &&
+		      current_token_is_internal_token)
+		    CloseHandle (sav_token);
 	        }
 	      else if (sav_token != INVALID_HANDLE_VALUE)
 		cygheap->user.token = sav_token;