[PATCH]: Drop the use of `check_nt_auth'.
Corinna Vinschen
vinschen at redhat.com
Mon Jun 4 20:16:23 EST 2001
On Wed, May 23, 2001 at 04:16:48PM +0200, Corinna Vinschen wrote:
> On Wed, May 23, 2001 at 09:29:43PM +1000, Damien Miller wrote:
> > On Wed, 23 May 2001, Corinna Vinschen wrote:
> >
> > > Hi,
> > >
> > > the following patch removes some of the Cygwin specific code from
> > > OpenSSH.
> > >
> > > Since Cygwin is able to change the user context on NT/W2K even without
> > > a password since the new Cygwin version 1.3.2, there's no need anymore
> > > to allow changing the user context only if the sshd user is the same
> > > user as the one which logs in or when a password is given.
> > >
> > > For that reason the whole function `check_nt_auth' and all code which
> > > uses it, is completey dropped in the following patch.
> >
> > Could you add a configure test to ensure that the support for this
> > extension is available in the version of Cygwin that the user is
> > compiling against?
>
> Hmm, yes, but...
>
> would it be better to let the check_nt_auth functionality in but
> additionally check for the Cygwin version in the function
> to return an appropriate value (Cygwin >= 1.3.2 ==> return TRUE),
> perhaps?
Ok, I changed my patch to accomodate different abilities of different
Cygwin versions. Instead of completely eliminating the check, it now
tests for the Cygwin version as well as for the setting in Cygwin
which is responsible for that feature.
Corinna
Index: openbsd-compat/bsd-cygwin_util.c
===================================================================
RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.c,v
retrieving revision 1.4
diff -u -p -r1.4 bsd-cygwin_util.c
--- openbsd-compat/bsd-cygwin_util.c 2001/04/13 14:28:42 1.4
+++ openbsd-compat/bsd-cygwin_util.c 2001/06/04 10:05:35
@@ -21,10 +21,14 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.4 2001
#include <fcntl.h>
#include <stdlib.h>
+#include <sys/utsname.h>
#include <sys/vfs.h>
#include <windows.h>
#define is_winnt (GetVersion() < 0x80000000)
+#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
+#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
+
#if defined(open) && open == binary_open
# undef open
#endif
@@ -61,12 +65,34 @@ int check_nt_auth(int pwd_authenticated,
* context on NT systems is the password authentication. So
* we deny all requsts for changing the user context if another
* authentication method is used.
- * This may change in future when a special openssh
- * subauthentication package is available.
+ *
+ * This doesn't apply to Cygwin versions >= 1.3.2 anymore which
+ * uses the undocumented NtCreateToken() call to create a user
+ * token if the process has the appropriate privileges and if
+ * CYGWIN ntsec setting is on.
*/
- if (is_winnt && !pwd_authenticated && geteuid() != uid)
- return 0;
-
+ static int has_create_token = -1;
+
+ if (is_winnt) {
+ if (has_create_token < 0) {
+ struct utsname uts;
+ int major_high = 0, major_low = 0, minor = 0;
+ char *cygwin = getenv("CYGWIN");
+
+ has_create_token = 0;
+ if (ntsec_on(cygwin) && !uname(&uts)) {
+ sscanf(uts.release, "%d.%d.%d",
+ &major_high, &major_low, &minor);
+ if (major_high > 1 ||
+ (major_high == 1 && (major_low > 3 ||
+ (major_low == 3 && minor >= 2))))
+ has_create_token = 1;
+ }
+ }
+ if (has_create_token < 1 &&
+ !pwd_authenticated && geteuid() != uid)
+ return 0;
+ }
return 1;
}
@@ -82,12 +108,9 @@ int check_ntsec(const char *filename)
return 0;
/* Evaluate current CYGWIN settings. */
- if ((cygwin = getenv("CYGWIN")) != NULL) {
- if (strstr(cygwin, "ntea") && !strstr(cygwin, "nontea"))
- allow_ntea = 1;
- if (strstr(cygwin, "ntsec") && !strstr(cygwin, "nontsec"))
- allow_ntsec = 1;
- }
+ cygwin = getenv("CYGWIN");
+ allow_ntea = ntea_on(cygwin);
+ allow_ntsec = ntsec_on(cygwin);
/*
* `ntea' is an emulation of POSIX attributes. It doesn't support
--
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com
More information about the openssh-unix-dev
mailing list