diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2011-04-04 13:00:02 +0400 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2011-04-04 13:00:02 +0400 |
| commit | 99edadedc90025c03e4ec4602a9c61c1bf37b7e7 (patch) | |
| tree | 1fd0a16c0b5195a7c9ec6557d8ca6678a1781838 | |
| parent | 0d6f2b0117aa7fe5470117b6a43f16dac139f5b9 (diff) | |
* sec_auth.cc (get_user_groups): Mark well-known groups as well-known.
(get_user_local_groups): Ditto.
(verify_token): Drop useless label.
* sec_helper.cc (cygsid::get_sid): Check for well-known SID if
well_known isn't set.
* security.h (well_known_sid_type): New inline function.
| -rw-r--r-- | winsup/cygwin/sec_auth.cc | 13 | ||||
| -rw-r--r-- | winsup/cygwin/sec_helper.cc | 17 | ||||
| -rw-r--r-- | winsup/cygwin/security.h | 8 |
3 files changed, 29 insertions, 9 deletions
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index 0c86546d6..775957f25 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -292,6 +292,8 @@ get_user_groups (WCHAR *logonserver, cygsidlist &grp_list, wcscpy (dgroup + len, buf[i].grui0_name); if (!LookupAccountNameW (NULL, dgroup, gsid, &glen, dom, &dlen, &use)) debug_printf ("LookupAccountName(%W), %E", dgroup); + else if (well_known_sid_type (use)) + grp_list *= gsid; else if (legal_sid_type (use)) grp_list += gsid; else @@ -339,10 +341,12 @@ get_user_local_groups (PWCHAR logonserver, PWCHAR domain, if (LookupAccountNameW (NULL, domlocal_grp, gsid, &glen, dom, &domlen, &use)) { - if (!legal_sid_type (use)) - debug_printf ("Rejecting local %W. use: %d", dg_ptr, use); - else + if (well_known_sid_type (use)) + grp_list *= gsid; + else if (legal_sid_type (use)) grp_list += gsid; + else + debug_printf ("Rejecting local %W. use: %d", dg_ptr, use); } else if (GetLastError () == ERROR_NONE_MAPPED) { @@ -762,14 +766,13 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern) if (!saw[gidx] && !groups.sgsids.sids[gidx].is_well_known_sid () && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx])) - goto done; + return false; } /* The primary group must be in the token */ ret = sawpg || sid_in_token_groups (my_grps, groups.pgsid) || groups.pgsid == usersid; } -done: return ret; } diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index a29900166..069eaa544 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -1,7 +1,7 @@ /* sec_helper.cc: NT security helper functions Copyright 2000, 2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009, - 2010 Red Hat, Inc. + 2010, 2011 Red Hat, Inc. Written by Corinna Vinschen <corinna@vinschen.de> @@ -150,7 +150,8 @@ PSID cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r, bool well_known) { DWORD i; - SID_IDENTIFIER_AUTHORITY sid_auth = {{0,0,0,0,0,0}}; + SID_IDENTIFIER_AUTHORITY sid_auth = { SECURITY_NULL_SID_AUTHORITY }; +# define SECURITY_NT_AUTH 5 if (s > 255 || cnt < 1 || cnt > 8) { @@ -162,7 +163,17 @@ cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r, bool well_known) InitializeSid (psid, &sid_auth, cnt); for (i = 0; i < cnt; ++i) memcpy ((char *) psid + 8 + sizeof (DWORD) * i, &r[i], sizeof (DWORD)); - well_known_sid = well_known; + /* If the well_known flag isn't set explicitely, we check the SID + for being a well-known SID ourselves. That's necessary because this + cygsid is created from a SID string, usually from /etc/passwd or + /etc/group. The calling code just doesn't know if the SID is well-known + or not. All SIDs are well-known SIDs, except those in the non-unique NT + authority range. */ + if (well_known) + well_known_sid = well_known; + else + well_known_sid = (s != SECURITY_NT_AUTH + || r[0] != SECURITY_NT_NON_UNIQUE_RID); return psid; } diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h index 198f0f075..6bc2a47dd 100644 --- a/winsup/cygwin/security.h +++ b/winsup/cygwin/security.h @@ -1,7 +1,7 @@ /* security.h: security declarations Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, - 2010 Red Hat, Inc. + 2010, 2011 Red Hat, Inc. This file is part of Cygwin. @@ -340,6 +340,12 @@ extern cygpsid well_known_samba_unix_user_fake_sid; bool privilege_luid (const PWCHAR pname, LUID *luid); inline BOOL +well_known_sid_type (SID_NAME_USE type) +{ + return type == SidTypeAlias || type == SidTypeWellKnownGroup; +} + +inline BOOL legal_sid_type (SID_NAME_USE type) { return type == SidTypeUser || type == SidTypeGroup |