Welcome to mirror list, hosted at ThFree Co, Russian Federation.

cygwin.com/git/newlib-cygwin.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/winsup/cygwin/security.cc
diff options
context:
space:
mode:
authorCorinna Vinschen <corinna@vinschen.de>2005-04-16 19:21:47 +0400
committerCorinna Vinschen <corinna@vinschen.de>2005-04-16 19:21:47 +0400
commit68a3f0d34af960ecb1da72ce70819189a3b6dd29 (patch)
treeb06e50bb18f618e2fccf7f3e8073662f1929a28d /winsup/cygwin/security.cc
parent00c05edcf1457ce2b6a03892c095ced9e4d15465 (diff)
* security.h (cygsidlist::addfromgr): Allow duplicate entries.
(get_server_groups): Declare new function. * security.cc (is_group_member): Simplify. (get_server_groups): New function. (get_initgroups_sidlist): Call get_server_groups. (verify_token): Allow token when supplementary sids are not in /etc/group but are in the token. Streamline the code. * grp.cc (initgroups32): New implementation. (getgroups32): Handle case where the supplementary groups are set.
Diffstat (limited to 'winsup/cygwin/security.cc')
-rw-r--r--winsup/cygwin/security.cc123
1 files changed, 66 insertions, 57 deletions
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index e74fd8df8..e2a9426a4 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -42,8 +42,7 @@ details. */
bool allow_ntsec;
/* allow_smbntsec is handled exclusively in path.cc (path_conv::check).
- It's defined here because of it's strong relationship to allow_ntsec.
- The default is TRUE to reflect the old behaviour. */
+ It's defined here because of it's strong relationship to allow_ntsec. */
bool allow_smbntsec;
bool allow_traverse;
@@ -363,7 +362,6 @@ is_group_member (WCHAR *wgroup, PSID pusersid, cygsidlist &grp_list)
LPLOCALGROUP_MEMBERS_INFO_0 buf;
DWORD cnt, tot;
NET_API_STATUS ret;
- bool retval = false;
/* Members can be users or global groups */
ret = NetLocalGroupGetMembers (NULL, wgroup, 0, (LPBYTE *) &buf,
@@ -371,14 +369,17 @@ is_group_member (WCHAR *wgroup, PSID pusersid, cygsidlist &grp_list)
if (ret)
return false;
- for (DWORD bidx = 0; !retval && bidx < cnt; ++bidx)
+ bool retval = true;
+ for (DWORD bidx = 0; bidx < cnt; ++bidx)
if (EqualSid (pusersid, buf[bidx].lgrmi0_sid))
- retval = true;
+ goto done;
else
- for (int glidx = 0; !retval && glidx < grp_list.count; ++glidx)
+ for (int glidx = 0; glidx < grp_list.count; ++glidx)
if (EqualSid (grp_list.sids[glidx], buf[bidx].lgrmi0_sid))
- retval = true;
+ goto done;
+ retval = false;
+ done:
NetApiBufferFree (buf);
return retval;
}
@@ -545,6 +546,30 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
}
}
+bool
+get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw)
+{
+ char user[UNLEN + 1];
+ char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1];
+ WCHAR wserver[INTERNET_MAX_HOST_NAME_LENGTH + 3];
+ char server[INTERNET_MAX_HOST_NAME_LENGTH + 3];
+
+ if (well_known_system_sid == usersid)
+ {
+ grp_list += well_known_admins_sid;
+ get_unix_group_sidlist (pw, grp_list);
+ return true;
+ }
+
+ grp_list += well_known_world_sid;
+ grp_list += well_known_authenticated_users_sid;
+ extract_nt_dom_user (pw, domain, user);
+ if (get_logon_server (domain, server, wserver))
+ get_user_groups (wserver, grp_list, user, domain);
+ get_unix_group_sidlist (pw, grp_list);
+ return get_user_local_groups (grp_list, usersid);
+}
+
static bool
get_initgroups_sidlist (cygsidlist &grp_list,
PSID usersid, PSID pgrpsid, struct passwd *pw,
@@ -554,26 +579,12 @@ get_initgroups_sidlist (cygsidlist &grp_list,
grp_list += well_known_world_sid;
grp_list += well_known_authenticated_users_sid;
if (well_known_system_sid == usersid)
- {
- auth_pos = -1;
- grp_list += well_known_admins_sid;
- get_unix_group_sidlist (pw, grp_list);
- }
- else
- {
- char user[UNLEN + 1];
- char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1];
- WCHAR wserver[INTERNET_MAX_HOST_NAME_LENGTH + 3];
- char server[INTERNET_MAX_HOST_NAME_LENGTH + 3];
+ auth_pos = -1;
+ else
+ get_token_group_sidlist (grp_list, my_grps, auth_luid, auth_pos);
+ if (!get_server_groups (grp_list, usersid, pw))
+ return false;
- get_token_group_sidlist (grp_list, my_grps, auth_luid, auth_pos);
- extract_nt_dom_user (pw, domain, user);
- if (get_logon_server (domain, server, wserver))
- get_user_groups (wserver, grp_list, user, domain);
- get_unix_group_sidlist (pw, grp_list);
- if (!get_user_local_groups (grp_list, usersid))
- return false;
- }
/* special_pgrp true if pgrpsid is not in normal groups */
if ((special_pgrp = !grp_list.contains (pgrpsid)))
grp_list += pgrpsid;
@@ -775,8 +786,7 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
}
PTOKEN_GROUPS my_grps;
- bool saw_buf[NGROUPS_MAX] = {};
- bool *saw = saw_buf, sawpg = false, ret = false;
+ bool sawpg = false, ret = false;
if (!GetTokenInformation (token, TokenGroups, NULL, 0, &size) &&
GetLastError () != ERROR_INSUFFICIENT_BUFFER)
@@ -785,40 +795,39 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
debug_printf ("alloca (my_grps) failed.");
else if (!GetTokenInformation (token, TokenGroups, my_grps, size, &size))
debug_printf ("GetTokenInformation(my_token, TokenGroups), %E");
- else if (!groups.issetgroups ()) /* setgroups was never called */
- ret = sid_in_token_groups (my_grps, groups.pgsid)
- || groups.pgsid == usersid;
- else /* setgroups was called */
+ else
{
- struct __group32 *gr;
- cygsid gsid;
- if (groups.sgsids.count > (int) (sizeof (saw_buf) / sizeof (*saw_buf))
- && !(saw = (bool *) calloc (groups.sgsids.count, sizeof (bool))))
- goto done;
-
- /* token groups found in /etc/group match the user.gsids ? */
- for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx)
- if (gsid.getfromgr (gr) && sid_in_token_groups (my_grps, gsid))
- {
- int pos = groups.sgsids.position (gsid);
- if (pos >= 0)
- saw[pos] = true;
- else if (groups.pgsid == gsid)
- sawpg = true;
- else if (gsid != well_known_world_sid
- && gsid != usersid)
+ if (groups.issetgroups ()) /* setgroups was called */
+ {
+ cygsid gsid;
+ struct __group32 *gr;
+ bool saw[groups.sgsids.count];
+ memset (saw, 0, sizeof(saw));
+
+ /* token groups found in /etc/group match the user.gsids ? */
+ for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx)
+ if (gsid.getfromgr (gr) && sid_in_token_groups (my_grps, gsid))
+ {
+ int pos = groups.sgsids.position (gsid);
+ if (pos >= 0)
+ saw[pos] = true;
+ else if (groups.pgsid == gsid)
+ sawpg = true;
+ else if (gsid != well_known_world_sid
+ && gsid != usersid)
+ goto done;
+ }
+ /* user.sgsids groups must be in the token */
+ for (int gidx = 0; gidx < groups.sgsids.count; gidx++)
+ if (!saw[gidx] && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
goto done;
- }
- for (int gidx = 0; gidx < groups.sgsids.count; gidx++)
- if (!saw[gidx])
- goto done;
+ }
+ /* The primary group must be in the token */
ret = sawpg
- || groups.sgsids.contains (groups.pgsid)
- || groups.pgsid == usersid;
+ || sid_in_token_groups (my_grps, groups.pgsid)
+ || groups.pgsid == usersid;
}
done:
- if (saw != saw_buf)
- free (saw);
return ret;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-03 17:23:15 +0300