From c7b9a091a5037a884948329b264f9b44102d28ce Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Mon, 3 Mar 2014 12:03:47 +0000
Subject: 	* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid
 mapping 	from get_sids_info here. 	(get_sids_info): Vice versa. 
 * security.cc (convert_samba_sd): New static function to map a Samba 
 security descriptor to a security descriptor with UNIX users and groups 
 converted to Windows SIDs per RFC 2307 mapping. 	(check_file_access):
 Call convert_samba_sd on Samba security 	descriptors.

---
 winsup/cygwin/sec_helper.cc | 97 +++++++++++++++++----------------------------
 1 file changed, 37 insertions(+), 60 deletions(-)

(limited to 'winsup/cygwin/sec_helper.cc')

diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc
index 23dfc94e8..69df2baf8 100644
--- a/winsup/cygwin/sec_helper.cc
+++ b/winsup/cygwin/sec_helper.cc
@@ -103,9 +103,27 @@ cygpsid::get_id (BOOL search_grp, int *type, cyg_ldap *pldap)
       struct group *gr;
       if (cygheap->user.groups.pgsid == psid)
 	id = myself->gid;
+      else if (sid_id_auth (psid) == 22)
+	{
+	  /* Samba UNIX group.  Try to map to Cygwin gid.  If there's no
+	     mapping in the cache, try to fetch it from the configured
+	     RFC 2307 domain (see last comment in cygheap_domain_info::init()
+	     for more information) and add it to the mapping cache. */
+	  gid_t gid = sid_sub_auth_rid (psid);
+	  gid_t map_gid = cygheap->ugid_cache.get_gid (gid);
+	  if (map_gid == ILLEGAL_GID)
+	    {
+	      if (pldap->open (cygheap->dom.get_rfc2307_domain ()))
+		map_gid = pldap->remap_gid (gid);
+	      if (map_gid == ILLEGAL_GID) 
+		map_gid = MAP_UNIX_TO_CYGWIN_ID (gid);
+	      cygheap->ugid_cache.add_gid (gid, map_gid);
+	    }
+	  id = (uid_t) map_gid;
+	}
       else if ((gr = internal_getgrsid (*this, pldap)))
 	id = gr->gr_gid;
-      if (id != ILLEGAL_UID)
+      if ((gid_t) id != ILLEGAL_GID)
 	{
 	  if (type)
 	    *type = GROUP;
@@ -117,6 +135,21 @@ cygpsid::get_id (BOOL search_grp, int *type, cyg_ldap *pldap)
       struct passwd *pw;
       if (*this == cygheap->user.sid ())
 	id = myself->uid;
+      else if (sid_id_auth (psid) == 22)
+	{
+	  /* Samba UNIX user.  See comment above. */
+	  uid_t uid = sid_sub_auth_rid (psid);
+	  uid_t map_uid = cygheap->ugid_cache.get_uid (uid);
+	  if (map_uid == ILLEGAL_UID)
+	    {
+	      if (pldap->open (cygheap->dom.get_rfc2307_domain ()))
+		map_uid = pldap->remap_uid (uid);
+	      if (map_uid == ILLEGAL_UID)
+		map_uid = MAP_UNIX_TO_CYGWIN_ID (uid);
+	      cygheap->ugid_cache.add_uid (uid, map_uid);
+	    }
+	  id = map_uid;
+	}
       else if ((pw = internal_getpwsid (*this, pldap)))
 	id = pw->pw_uid;
       if (id != ILLEGAL_UID && type)
@@ -295,44 +328,16 @@ cygsidlist::add (const PSID nsi, bool well_known)
 bool
 get_sids_info (cygpsid owner_sid, cygpsid group_sid, uid_t * uidret, gid_t * gidret)
 {
-  struct passwd *pw;
-  struct group *gr = NULL;
   BOOL ret = false;
-  PWCHAR domain;
   cyg_ldap cldap;
 
   owner_sid.debug_print ("get_sids_info: owner SID =");
   group_sid.debug_print ("get_sids_info: group SID =");
 
-  if (group_sid == cygheap->user.groups.pgsid)
-    *gidret = myself->gid;
-  else if (sid_id_auth (group_sid) == 22)
-    {
-      /* Samba UNIX group.  Try to map to Cygwin gid.  If there's no mapping in
-	 the cache, try to fetch it from the configured RFC 2307 domain (see
-	 last comment in cygheap_domain_info::init() for more information) and
-	 add it to the mapping cache. */
-      gid_t gid = sid_sub_auth_rid (group_sid);
-      gid_t map_gid = cygheap->ugid_cache.get_gid (gid);
-      if (map_gid == ILLEGAL_GID)
-	{
-	  domain = cygheap->dom.get_rfc2307_domain ();
-	  if (cldap.open (domain))
-	    map_gid = cldap.remap_gid (gid);
-	  if (map_gid == ILLEGAL_GID)
-	    map_gid = MAP_UNIX_TO_CYGWIN_ID (gid);
-	  cygheap->ugid_cache.add_gid (gid, map_gid);
-	}
-      *gidret = map_gid;
-    }
-  else if ((gr = internal_getgrsid (group_sid, &cldap)))
-    *gidret = gr->gr_gid;
-  else
-    *gidret = ILLEGAL_GID;
-
-  if (owner_sid == cygheap->user.sid ())
+  *uidret = owner_sid.get_uid (&cldap);
+  *gidret = group_sid.get_gid (&cldap);
+  if (*uidret == myself->uid)
     {
-      *uidret = myself->uid;
       if (*gidret == myself->gid)
 	ret = TRUE;
       else
@@ -340,34 +345,6 @@ get_sids_info (cygpsid owner_sid, cygpsid group_sid, uid_t * uidret, gid_t * gid
 			      ? cygheap->user.imp_token () : NULL,
 			      group_sid, &ret);
     }
-  else if (sid_id_auth (owner_sid) == 22)
-    {
-      /* Samba UNIX user.  See comment above. */
-      uid_t uid = sid_sub_auth_rid (owner_sid);
-      uid_t map_uid = cygheap->ugid_cache.get_uid (uid);
-      if (map_uid == ILLEGAL_UID)
-	{
-	  domain = cygheap->dom.get_rfc2307_domain ();
-	  if (cldap.open (domain))
-	    map_uid = cldap.remap_uid (uid);
-	  if (map_uid == ILLEGAL_UID)
-	    map_uid = MAP_UNIX_TO_CYGWIN_ID (uid);
-	  cygheap->ugid_cache.add_uid (uid, map_uid);
-	}
-      *uidret = map_uid;
-    }
-  else if ((pw = internal_getpwsid (owner_sid, &cldap)))
-    {
-      *uidret = pw->pw_uid;
-      if (gr || (*gidret != ILLEGAL_GID
-		 && (gr = internal_getgrgid (*gidret, &cldap))))
-	for (int idx = 0; gr->gr_mem[idx]; ++idx)
-	  if ((ret = strcasematch (pw->pw_name, gr->gr_mem[idx])))
-	    break;
-    }
-  else
-    *uidret = ILLEGAL_UID;
-
   return (bool) ret;
 }
 
-- 
cgit v1.2.3