diff options
| -rw-r--r-- | winsup/cygwin/ChangeLog | 12 | ||||
| -rw-r--r-- | winsup/cygwin/security.cc | 88 |
2 files changed, 51 insertions, 49 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 8c1c2877b..74d3eb6e6 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,15 @@ +2002-07-18 Pierre Humblet <pierre.humblet@ieee.org> + + * security.cc (get_unix_group_sidlist): Create. + (get_supplementary_group_sidlist): Evolve into get_unix_group_sidlist. + (get_user_local_groups): Add check for duplicates. + (get_user_primary_group): Suppress. + (get_group_sidlist): Silently ignore PDC unavailability. + Call get_unix_group_sidlist() before get_user_local_groups(). + Remove call to get_supplementary_group_sidlist(). Never call + get_user_primary_group() as the passwd group is always included. + Add well_known_authenticated_users_sid in only one statement. + 2002-07-19 Christopher Faylor <cgf@redhat.com> * fhandler_serial.cc (fhandler_serial::tcflush): Fix typo. diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index df132352a..ae6be4194 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -388,18 +388,18 @@ get_user_local_groups (cygsidlist &grp_list, PSID pusersid) sys_wcstombs (bgroup + blen, buf[i].lgrpi0_name, GNLEN + 1); if (!LookupAccountName (NULL, bgroup, gsid, &glen, domain, &dlen, &use)) { - if (GetLastError () != ERROR_NONE_MAPPED) - debug_printf ("LookupAccountName(%s): %E", bgroup); - strcpy (lgroup + llen, bgroup + blen); - if (!LookupAccountName (NULL, lgroup, gsid, &glen, - domain, &dlen, &use)) - debug_printf ("LookupAccountName(%s): %E", lgroup); + if (GetLastError () != ERROR_NONE_MAPPED) + debug_printf ("LookupAccountName(%s): %E", bgroup); + strcpy (lgroup + llen, bgroup + blen); + if (!LookupAccountName (NULL, lgroup, gsid, &glen, + domain, &dlen, &use)) + debug_printf ("LookupAccountName(%s): %E", lgroup); } - if (legal_sid_type (use)) + if (!legal_sid_type (use)) + debug_printf ("Rejecting local %s. use: %d", bgroup + blen, use); + else if (!grp_list.contains (gsid)) grp_list += gsid; - else debug_printf ("Rejecting local %s. use: %d", bgroup + blen, use); } - NetApiBufferFree (buf); return TRUE; } @@ -415,6 +415,7 @@ sid_in_token_groups (PTOKEN_GROUPS grps, cygsid &sid) return FALSE; } +#if 0 /* Unused */ static BOOL get_user_primary_group (WCHAR *wlogonserver, const char *user, PSID pusersid, cygsid &pgrpsid) @@ -448,34 +449,33 @@ get_user_primary_group (WCHAR *wlogonserver, const char *user, NetApiBufferFree (buf); return retval; } +#endif -static int -get_supplementary_group_sidlist (const char *username, cygsidlist &grp_list) +static void +get_unix_group_sidlist (struct passwd * pw, cygsidlist &grp_list) { struct __group32 *gr; - int cnt = 0; + cygsid gsid; for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx) { - if (gr->gr_mem) + if (gr->gr_gid == (__gid32_t) pw->pw_gid) + goto found; + else if (gr->gr_mem) for (int gi = 0; gr->gr_mem[gi]; ++gi) - if (strcasematch (username, gr->gr_mem[gi])) - { - if (gr->gr_passwd && *gr->gr_passwd) - { - cygsid sid (gr->gr_passwd); - if ((PSID)sid && grp_list.add (sid)) - ++cnt; - } - break; - } + if (strcasematch (pw->pw_name, gr->gr_mem[gi])) + goto found; + continue; + found: + if (gsid.getfromgr (gr) && !grp_list.contains (gsid)) + grp_list += gsid; + } - return cnt; } static BOOL get_group_sidlist (cygsidlist &grp_list, - cygsid &usersid, cygsid &pgrpsid, struct passwd * pw, + cygsid &usersid, cygsid &pgrpsid, struct passwd * pw, PTOKEN_GROUPS my_grps, LUID auth_luid, int &auth_pos, BOOL * special_pgrp) { @@ -488,16 +488,14 @@ get_group_sidlist (cygsidlist &grp_list, auth_pos = -1; grp_list += well_known_world_sid; + grp_list += well_known_authenticated_users_sid; if (usersid == well_known_system_sid) { - grp_list += well_known_authenticated_users_sid; grp_list += well_known_admins_sid; + get_unix_group_sidlist (pw, grp_list); } else { - extract_nt_dom_user (pw, domain, user); - if (!get_logon_server (domain, server, wserver)) - return FALSE; if (my_grps) { if (sid_in_token_groups (my_grps, well_known_local_sid)) @@ -512,13 +510,11 @@ get_group_sidlist (cygsidlist &grp_list, grp_list += well_known_interactive_sid; if (sid_in_token_groups (my_grps, well_known_service_sid)) grp_list += well_known_service_sid; - grp_list += well_known_authenticated_users_sid; } else { grp_list += well_known_local_sid; grp_list += well_known_interactive_sid; - grp_list += well_known_authenticated_users_sid; } if (auth_luid.QuadPart != 999) /* != SYSTEM_LUID */ { @@ -528,28 +524,22 @@ get_group_sidlist (cygsidlist &grp_list, grp_list += buf; auth_pos = grp_list.count - 1; } - if (!get_user_groups (wserver, grp_list, user, domain) || - !get_user_local_groups (grp_list, usersid)) + extract_nt_dom_user (pw, domain, user); + /* Fail silently if DC is not reachable */ + if (get_logon_server (domain, server, wserver) && + !get_user_groups (wserver, grp_list, user, domain)) + return FALSE; + get_unix_group_sidlist (pw, grp_list); + if (!get_user_local_groups (grp_list, usersid)) return FALSE; } /* special_pgrp true if pgrpsid is not null and not in normal groups */ - if (!pgrpsid) + *special_pgrp = FALSE; + if (pgrpsid && !grp_list.contains (pgrpsid)) { - *special_pgrp = FALSE; - get_user_primary_group (wserver, user, usersid, pgrpsid); + *special_pgrp = TRUE; + grp_list += pgrpsid; } - else - *special_pgrp = TRUE; - if (pw->pw_name && get_supplementary_group_sidlist (pw->pw_name, sup_list)) - { - for (int i = 0; i < sup_list.count; ++i) - if (!grp_list.contains (sup_list.sids[i])) - grp_list += sup_list.sids[i]; - } - if (!grp_list.contains (pgrpsid)) - grp_list += pgrpsid; - else - *special_pgrp = FALSE; return TRUE; } @@ -856,7 +846,7 @@ create_token (cygsid &usersid, cygsid &pgrpsid, struct passwd * pw) if (psa->lpSecurityDescriptor && !SetSecurityDescriptorGroup ( (PSECURITY_DESCRIPTOR) psa->lpSecurityDescriptor, - special_pgrp?pgrpsid:well_known_null_sid, FALSE)) + special_pgrp ? pgrpsid : well_known_null_sid, FALSE)) debug_printf ("SetSecurityDescriptorGroup %E"); /* Convert to primary token. */ if (!DuplicateTokenEx (token, MAXIMUM_ALLOWED, psa, |