Mail Archives: cygwin/2013/06/08/04:33:18
| X-Recipient: | archive-cygwin AT delorie DOT com
|
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:message-id:date:from:mime-version:to:subject
|
| :references:in-reply-to:content-type; q=dns; s=default; b=brBMhT
|
| ZSE/xPly74Hbj8ke+QOQ/bp00ZY8yYFVbsh1zcR0MVDvfMGZ54H4H+RPbFIwNJxD
|
| TSa1xV/ysCtlL5MuRCL/KLdOuZwu0/xl6T03ECG32DqtQIjgj3FndcnCv0F1iJPj
|
| 9w2PXJcORTMUeYXMrOspNLWH0lCStUQQ9kWkM=
|
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:message-id:date:from:mime-version:to:subject
|
| :references:in-reply-to:content-type; s=default; bh=RkGnSSo7ocx2
|
| 8/3RVRTlzUFGbNk=; b=RH0hbJNj4RK+m6fpHVpyY2dyHcZHd9xA06Ziebq+qU4f
|
| R4D+c4xk/6d6OPOQqZr8Dy+EtUEXYs50gGiigpjvI3jl7Z/maXYpgJ9eyvk6V3HQ
|
| 7izmS8XWCtU+sz2nTIkHPCsdFY46GaeYIGKLCq1WYzOXCgCxr0T+vb37+0GnNQE=
|
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm
|
| List-Id: | <cygwin.cygwin.com>
|
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com>
|
| List-Archive: | <http://sourceware.org/ml/cygwin/>
|
| List-Post: | <mailto:cygwin AT cygwin DOT com>
|
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
|
| Sender: | cygwin-owner AT cygwin DOT com
|
| Mail-Followup-To: | cygwin AT cygwin DOT com
|
| Delivered-To: | mailing list cygwin AT cygwin DOT com
|
| X-Spam-SWARE-Status: | No, score=-5.8 required=5.0 tests=AWL,BAYES_00,KHOP_PGP_SIGNED,KHOP_THREADED,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,TW_VK autolearn=ham version=3.3.1
|
| Message-ID: | <51B2EC44.30102@dancol.org>
|
| Date: | Sat, 08 Jun 2013 01:33:08 -0700
|
| From: | Daniel Colascione <dancol AT dancol DOT org>
|
| User-Agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
|
| MIME-Version: | 1.0
|
| To: | cygwin AT cygwin DOT com
|
| Subject: | Re: DS_FORCE_REDISCOVERY lookup slows ssh logon
|
| References: | <51B2D55B DOT 3020904 AT dancol DOT org>
|
| In-Reply-To: | <51B2D55B.3020904@dancol.org>
|
| X-Virus-Found: | No
|
------enig2JWTGCELBJMTQTFKHNICV
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 6/7/2013 11:55 PM, Daniel Colascione wrote:
> (By the way: how on earth does logon eventually succeed if group enumerat=
ion
> fails? I'm using the stored-password authentication method, and when sshd
> eventually connects, my user (according to whoami.exe /priv) is a member =
of the
> groups I expect.)
Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just
getting a truncated group list from initgroups while checking ~/.ssh
permissions, which still happens to work fine in my case, the logon delay a=
side.
Changing openssh to call setgroups only after calling seteuid might help (so
we'd retrieve the group list in the context of our new user), but because
get_groups calls deimpersonate before talking to the server, that wouldn't
actually work.
What about something like this?
Index: sec_auth.cc
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/src/src/winsup/cygwin/sec_auth.cc,v
retrieving revision 1.47
diff -u -r1.47 sec_auth.cc
--- sec_auth.cc 23 Apr 2013 09:44:33 -0000 1.47
+++ sec_auth.cc 8 Jun 2013 08:31:16 -0000
@@ -246,7 +246,8 @@
static bool
get_user_groups (WCHAR *logonserver, cygsidlist &grp_list,
- PWCHAR user, PWCHAR domain)
+ PWCHAR user, PWCHAR domain,
+ struct passwd *pw)
{
WCHAR dgroup[MAX_DOMAIN_NAME_LEN + GNLEN + 2];
LPGROUP_USERS_INFO_0 buf;
@@ -256,6 +257,33 @@
/* Look only on logonserver */
ret =3D NetUserGetGroups (logonserver, user, 0, (LPBYTE *) &buf,
MAX_PREFERRED_LENGTH, &cnt, &tot);
+
+ if (ret =3D=3D ERROR_ACCESS_DENIED)
+ {
+ /* If we can't list the user's groups as ourselves, try
+ impersonating the user and trying again. If the user is a
+ domain account and we're just a privileged local account, the
+ user might have more access than we do. Only try
+ lsaprivkeyauth because other methods for creating user tokens
+ don't give us network credentials anyway.
+ */
+
+ HANDLE user_token =3D lsaprivkeyauth (pw);
+
+ if (user_token)
+ {
+ if (ImpersonateLoggedOnUser (user_token))
+ {
+ ret =3D NetUserGetGroups (logonserver, user, 0, (LPBYTE *) &buf,
+ MAX_PREFERRED_LENGTH, &cnt, &tot);
+
+ RevertToSelf ();
+ }
+
+ CloseHandle (user_token);
+ }
+ }
+
if (ret)
{
__seterrno_from_win_error (ret);
@@ -292,7 +320,8 @@
static bool
get_user_local_groups (PWCHAR logonserver, PWCHAR domain,
- cygsidlist &grp_list, PWCHAR user)
+ cygsidlist &grp_list, PWCHAR user,
+ struct passwd *pw)
{
LPLOCALGROUP_INFO_0 buf;
DWORD cnt, tot;
@@ -301,6 +330,29 @@
ret =3D NetUserGetLocalGroups (logonserver, user, 0, LG_INCLUDE_INDIRECT,
(LPBYTE *) &buf, MAX_PREFERRED_LENGTH,
&cnt, &tot);
+
+ if (ret =3D=3D ERROR_ACCESS_DENIED)
+ {
+ /* See the ERROR_ACCESS_DENIED comment in get_user_groups */
+
+ HANDLE user_token =3D lsaprivkeyauth (pw);
+
+ if (user_token)
+ {
+ if (ImpersonateLoggedOnUser (user_token))
+ {
+ ret =3D NetUserGetLocalGroups (
+ logonserver, user, 0, LG_INCLUDE_INDIRECT,
+ (LPBYTE *) &buf, MAX_PREFERRED_LENGTH,
+ &cnt, &tot);
+
+ RevertToSelf ();
+ }
+
+ CloseHandle (user_token);
+ }
+ }
+
if (ret)
{
__seterrno_from_win_error (ret);
@@ -482,10 +534,10 @@
return false;
}
if (get_logon_server (domain, server, false)
- && !get_user_groups (server, grp_list, user, domain)
+ && !get_user_groups (server, grp_list, user, domain, pw)
&& get_logon_server (domain, server, true))
- get_user_groups (server, grp_list, user, domain);
- get_user_local_groups (server, domain, grp_list, user);
+ get_user_groups (server, grp_list, user, domain, pw);
+ get_user_local_groups (server, domain, grp_list, user, pw);
get_unix_group_sidlist (pw, grp_list);
return true;
}
------enig2JWTGCELBJMTQTFKHNICV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGy7EYACgkQ17c2LVA10Vsf6QCfV2ULaiRxjKvWhTfbGzxLiz/+
i4kAoK2/vR+pJ9VF4/4L+7bXJE0GjA3C
=tMXe
-----END PGP SIGNATURE-----
------enig2JWTGCELBJMTQTFKHNICV--
- Raw text -