* autoload.cc: Add load statements for `LookupAccountNameW',

        `LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory',
        `LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum',
        `NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and
        `NtCreateToken'.
        * ntdll.h: Add declaration for `NtCreateToken'.
        * sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid',
        `well_known_network_sid', `well_known_batch_sid',
        `well_known_interactive_sid', `well_known_service_sid' and
        `well_known_authenticated_users_sid'.
        (cygsid::string): Define as const method.
        (cygsid::get_sid): Set psid to NO_SID on error.
        (cygsid::getfromstr): Ditto.
        (cygsid::getfrompw): Simplify.
        (cygsid::getfromgr): Check for gr == NULL.
        (legal_sid_type): Move to security.h.
        (set_process_privilege): Return -1 on error, otherwise 0 or 1 related
        to previous privilege setting.
        * security.cc (extract_nt_dom_user): Remove `static'.
        (lsa2wchar): New function.
        (open_local_policy): Ditto.
        (close_local_policy): Ditto.
        (get_lsa_srv_inf): Ditto.
        (get_logon_server): Ditto.
        (get_logon_server_and_user_domain): Ditto.
        (get_user_groups): Ditto.
        (is_group_member): Ditto.
        (get_user_local_groups): Ditto.
        (sid_in_token_groups): Ditto.
        (get_user_primary_group): Ditto.
        (get_group_sidlist): Ditto.
        (get_system_priv_list): Ditto.
        (get_priv_list): Ditto.
        (get_dacl): Ditto.
        (create_token): Ditto.
        (subauth): Return immediately if SE_TCB_NAME can't be assigned.
        Change all return statements in case of error to jumps to `out'
        label. Add `out' label to support cleanup.
        * security.h: Add extern declarations for `well_known_local_sid',
        `well_known_dialup_sid', `well_known_network_sid',
        `well_known_batch_sid', `well_known_interactive_sid',
        `well_known_service_sid' and `well_known_authenticated_users_sid'.
        Add extern declarations for functions `create_token',
        `extract_nt_dom_user' and `get_logon_server_and_user_domain'.
        (class cygsid): Add method `assign'. Change operator= to call new
        `assign' method. Add `debug_print' method.
        (class cygsidlist): New class.
        (legal_sid_type): Moved from sec_helper.cc to here.
        * spawn.cc (spawn_guts) Revert reversion of previous patch.
        Call `RevertToSelf' and `ImpersonateLoggedOnUser' instead of `seteuid'
        again.
        * syscalls.cc (seteuid): Rearranged. Call `create_token' now when
        needed. Call `subauth' if `create_token' fails. Try setting token
        owner and primary group only if token was not explicitely created
        by `create_token'.
        * uinfo.cc (internal_getlogin): Try harder to generate correct user
        information. Especially don't trust return value of `GetUserName'.

1 files changed, 91 insertions, 14 deletions

diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h
index 5f2a38141..c915c1b6c 100644
--- a/winsup/cygwin/security.h
+++ b/winsup/cygwin/security.h
@@ -26,6 +26,18 @@ class cygsid {
   const PSID getfromstr (const char *nsidstr);
   PSID get_sid (DWORD s, DWORD cnt, DWORD *r);
 
+  inline const PSID assign (const PSID nsid)
+    {
+      if (!nsid)
+        psid = NO_SID;
+      else
+        {
+          psid = (PSID) sbuf;
+          CopySid (MAX_SID_LEN, psid, nsid);
+        }
+      return psid;
+    }
+
 public:
   inline cygsid () : psid ((PSID) sbuf) {}
   inline cygsid (const PSID nsid) { *this = nsid; }
@@ -40,19 +52,12 @@ public:
   inline int get_uid () { return get_id (FALSE); }
   inline int get_gid () { return get_id (TRUE); }
 
-  char *string (char *nsidstr);
+  char *string (char *nsidstr) const;
 
+  inline const PSID operator= (cygsid &nsid)
+    { return assign (nsid); }
   inline const PSID operator= (const PSID nsid)
-    {
-      if (!nsid)
-        psid = NULL;
-      else
-        {
-	  psid = (PSID) sbuf;
-	  CopySid (MAX_SID_LEN, psid, nsid);
-	}
-      return psid;
-    }
+    { return assign (nsid); }
   inline const PSID operator= (const char *nsidstr)
     { return getfromstr (nsidstr); }
 
@@ -73,12 +78,77 @@ public:
     { return !(*this == nsidstr); }
 
   inline operator const PSID () { return psid; }
+
+  void debug_print (const char *prefix = NULL) const
+    {
+      char buf[256];
+      debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL");
+    }
+};
+
+class cygsidlist {
+public:
+  int count;
+  cygsid *sids;
+
+  cygsidlist () : count (0), sids (NULL) {}
+  ~cygsidlist () { delete [] sids; }
+
+  BOOL add (cygsid &nsi)
+    {
+      cygsid *tmp = new cygsid [count + 1];
+      if (!tmp)
+        return FALSE;
+      for (int i = 0; i < count; ++i)
+        tmp[i] = sids[i];
+      delete [] sids;
+      sids = tmp;
+      sids[count++] = nsi;
+      return TRUE;
+    }
+  BOOL add (const PSID nsid) { return add (nsid); }
+  BOOL add (const char *sidstr)
+    { cygsid nsi (sidstr); return add (nsi); }
+  
+  BOOL operator+= (cygsid &si) { return add (si); }
+  BOOL operator+= (const char *sidstr) { return add (sidstr); }
+
+  BOOL contains (cygsid &sid) const
+    {
+      for (int i = 0; i < count; ++i)
+        if (sids[i] == sid)
+	  return TRUE;
+      return FALSE;
+    }
+  void debug_print (const char *prefix = NULL) const
+    {
+      debug_printf ("-- begin sidlist ---");
+      if (!count)
+        debug_printf ("No elements");
+      for (int i = 0; i < count; ++i)
+        sids[i].debug_print (prefix);
+      debug_printf ("-- ende sidlist ---");
+    }
 };
 
-extern cygsid well_known_admin_sid;
-extern cygsid well_known_system_sid;
-extern cygsid well_known_creator_owner_sid;
 extern cygsid well_known_world_sid;
+extern cygsid well_known_local_sid;
+extern cygsid well_known_creator_owner_sid;
+extern cygsid well_known_dialup_sid;
+extern cygsid well_known_network_sid;
+extern cygsid well_known_batch_sid;
+extern cygsid well_known_interactive_sid;
+extern cygsid well_known_service_sid;
+extern cygsid well_known_authenticated_users_sid;
+extern cygsid well_known_system_sid;
+extern cygsid well_known_admin_sid;
+
+inline BOOL
+legal_sid_type (SID_NAME_USE type)
+{
+  return type == SidTypeUser  || type == SidTypeGroup
+      || type == SidTypeAlias || type == SidTypeWellKnownGroup;
+}
 
 extern BOOL allow_ntsec;
 extern BOOL allow_smbntsec;
@@ -102,6 +172,13 @@ BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PS
 
 /* Try a subauthentication. */
 HANDLE subauth (struct passwd *pw);
+/* Try creating a token directly. */
+HANDLE create_token (cygsid &usersid, cygsid &pgrpsid);
+
+/* Extract U-domain\user field from passwd entry. */
+void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);
+/* Get default logonserver and domain for this box. */
+BOOL get_logon_server_and_user_domain (char *logonserver, char *domain);
 
 /* sec_helper.cc: Security helper functions. */
 BOOL __stdcall is_grp_member (uid_t uid, gid_t gid);