delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2024/02/23/13:46:16

X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A6F8B385842A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
s=default; t=1708713974;
bh=B1RcRsKrgHgpncLMWJRUJlQOv3fc2DDnyjFcWV5JTOg=;
h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
From;
b=J8ms9zPAZS0P+mRefwe8h2Y4sN23bmyVo+uipOQuneLmkH8BwBogFylTfE08uN9qA
zlM+IpRMHRmA9CT8F359MforqcV+D+Gzah6+wcjimgXXV8H+/J27WeswwEDf6aExwx
JMFxnOzf4fpNwFiEamDeTF6mMoCkOxQjBVhZ0WH8=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9F3D73858CD1
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9F3D73858CD1
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708713950; cv=none;
b=DKiE67LNdopoFroK8vd+VCFQUEhOPPVeV5ntHM3TAxoVssQTGhll6ImBKw0j5rUArufE2XG0O+a9V1ihkodym/+N8mZCOVrggWKDJTEjKlq9TcQYP9JuW5f1cPXI8ILUTFhsfGF0pLiFktzxpStEfdMz97kuGqpIraoS3A0gKAM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
t=1708713950; c=relaxed/simple;
bh=wFXu6rInOmxeDMhWQQEMC9VwzqTIxXrS0iuUaI7OCNM=;
h=MIME-Version:From:Date:Message-ID:Subject:To;
b=PH0Ag2lowNwsLI8QCqY9gAHov8Q7H1hv9oCLjG3FUyaVujrxykYC4wtIz/DTPnoXh7fASw/Jrrtu0zOwhc+4lLZFinDnNea6UnA6HGRu8bDUpqaC0dLyer79fkHygUA3bcgbtiDDdT6k7irktFrWhYuV5s7aBimQusHnOhaGybs=
ARC-Authentication-Results: i=1; server2.sourceware.org
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1708713947; x=1709318747;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=H1sTrW3ZvKJteSfGQOdkGu12ZnHmJKFLihK71MJCKJw=;
b=gNHG6LSEA2G7RGbJ3hUqbxd1C9deVAeA9n5MfifjVIWEniNeNFXKE/0QyLqTyiZZRX
5b72YvzTXtipuRXByxgfjEXQQvrWX8LjDx7k+uJEdKsfXhxsvQmFch2vZL6RcX2zdO3d
/vG3RnfPS4gXHYclzxFUWUlfzmEz8FFg2AmrifXcbE63PP48LqqAKGX1+ojMBTFyCNPO
TXuZsl4ZWmwEsdEdAWmyvjIasR0+lEgY5qWzMGtiVJo9ipoLgypZKMN8wmohBqsnJI9L
ivldQXl3Zsw0J11SDnXiZQGovowzt1HPQKrEGd/YwTijwgbjf7KMGhL4/0m+4hFGYySj
tyLQ==
X-Gm-Message-State: AOJu0YzF/uXQj0eZk8oJWxK4bNEt/7fO/e7pJ470PnvR1rfbsa3qU2MF
r8lY7Sn7nKd92sBq2MxpTnPYaqy8FEU97y3imnSLd/RJpSfOwPrR2v3AfBeFShAE2fPNPQjjZWk
NvApWE/l3Ct2lqLt3mFe+Y/DKh8oLnsfLi5k=
X-Google-Smtp-Source: AGHT+IGIbCFjhnNdxzUiZckNaIZoGDiyd1p9m5lKdCGx5UHqfBp4imoOQTYBR/hMaqwv8FJQ9xc54GHaf8cEmG5AlMg=
X-Received: by 2002:a6b:7a41:0:b0:7c7:28de:72f6 with SMTP id
k1-20020a6b7a41000000b007c728de72f6mr743536iop.7.1708713947195; Fri, 23 Feb
2024 10:45:47 -0800 (PST)
MIME-Version: 1.0
References: <CAKAoaQnFxij4Np-jg+bOLEpiSziCfamFrJ2FR_JeO+Sv_Td2Kg AT mail DOT gmail DOT com>
<ZdecXZNUgQ3i0hYN AT calimero DOT vinschen DOT de>
<CAKAoaQ=rCwVHnHAqfd5C3kC45GPE4ZHbbgCWrdM64sojLMuMyA AT mail DOT gmail DOT com>
<Zdi-CnGX3CwWA0nl AT calimero DOT vinschen DOT de>
In-Reply-To: <Zdi-CnGX3CwWA0nl@calimero.vinschen.de>
Date: Fri, 23 Feb 2024 19:45:20 +0100
Message-ID: <CAKAoaQ=kLW3houqanjcN9Qk1++BtgW-dNRiXjLYwCRTYEzoN=w@mail.gmail.com>
Subject: Re: Switching groups with newgrp - how to get the new group with
|GetTokenInformation()| ?
To: cygwin AT cygwin DOT com
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,
FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,
KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,
SPF_PASS, TXREP,
T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Roland Mainz via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Roland Mainz <roland DOT mainz AT nrubsig DOT org>
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 41NIkGpS006161 

On Fri, Feb 23, 2024 at 4:47 PM Corinna Vinschen via Cygwin
<cygwin AT cygwin DOT com> wrote:
> On Feb 23 14:03, Roland Mainz via Cygwin wrote:
> > On Thu, Feb 22, 2024 at 8:11 PM Corinna Vinschen via Cygwin
> > <cygwin AT cygwin DOT com> wrote:
> > > On Feb 22 18:38, Roland Mainz via Cygwin wrote:
> > > > If I switch the current user's group with /usr/bin/newgrp, how can a
> > > > (native) Win32 process use
> > > > |GetTokenInformation(GetCurrentThreadToken(), ...)| to find out which
> > > > group is the new "current group" (e.g. which |TokenInformationClass|
> > > > should I use) ?
> > >
> > >   PSID sidbuf = (PSID) alloca (SECURITY_MAX_SID_SIZE);
> > >   NTSTATUS status;
> > >   ULONG size;
> > >
> > >   status = NtQueryInformationToken (hProcToken, TokenPrimaryGroup,
> > >                                     sidbuf, SECURITY_MAX_SID_SIZE,
> > >                                     &size);
> >
> > Well, it works in the case of an "hello world" application, but if I
> > stuff that into the nfsd_daemon (NFSv4.1 ms-nfs41-client client
> > daemon) it always prints the default primary group, even if the
> > current thread should impersonate another user - or in this case even
> > the same user, but a different primary group (e.g. see
> > https://github.com/kofemann/ms-nfs41-client/blob/master/sys/nfs41_driver.c#L1367).
> >
> > Do you have any idea what is going wrong in this case ?
>
> Not sure about that.  I'm not familiar with driver development under
> Windows.

Me neither, I'm still new to this whole Windows kernel stuff (coming
from SUN&Solaris engineering), but as we need a NFSv4 filesystem
client at work I'm basically forced at knifepoint to learn as fast as
I can... ;-/

> I'd expect that you get the token of the calling thread or, in
> this case, process as is.

I think it's the calling thread which makes the Win32 syscall, then
the MiniRedirector driver (nfs41_driver.sys) gets that security
context, and uses that to set the impersonation stuff when making the
upcall to the userland part (nfsd_debug.exe), so that daemon thread
can impersonate the caller.

> However, did you try this with a primary group SID being part of the
> token's supplementary group list, or did you try this with some
> arbitrary group SID?

I tried it like this:
1. On the Windows machine I created these two new groups:
---- snip ----
WINHOST1:~$ net localgroup cygwingrp1 /add
WINHOST1:~$ net localgroup cygwingrp2 /add
WINHOST1:~$ getent group cygwingrp1
cygwingrp1:S-1-5-21-3286904461-661230000-4220857270-1003:197611:
WINHOST1:~$ getent group cygwingrp2
cygwingrp2:S-1-5-21-3286904461-661230000-4220857270-1004:197612:
---- snip ----

On the Linux NFSv4 server side I added these groups too, and added
group membership for the matching user:
---- snip ----
root AT DERFWNB4966:~# groupadd -g 197611 cygwingrp1
root AT DERFWNB4966:~# groupadd -g 197612 cygwingrp2
root AT DERFWNB4966:~# usermod -a -G cygwingrp1 roland_mainz
root AT DERFWNB4966:~# usermod -a -G cygwingrp2 roland_mainz
---- snip ----

After that /usr/bin/chgrp on Cygwin works on the NFSv4.1 filesystem,
but if I do a /usr/bin/newgrp+/usr/bin/touch it will not create files
with that new group, because nfsd_debug.exe only sees the default
primary group, not the new primary group set by /usr/bin/newgrp.

Or is there a mistake - do I have to add the current user to the
Windows localgroup first somehow (like usermod on Linux) ?

> I toyed around a bit with this in user space, and it seems I
> misinterpreted the results when I added the newgrp(1) tool.  The primary
> group in the token *must* be member of the token's supplementary group
> list.

Like on UNIX, right ?

> The fact that it looks like it works in Cygwin to set the pgrp to
> an arbitrary SID is apparently based on incorrect error handling.
>
> I will fix this in the next couple of days.

Thanks :-)

----

Bye,
Roland
-- 
  __ .  . __
 (o.\ \/ /.o) roland DOT mainz AT nrubsig DOT org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 3992797
 (;O/ \/ \O;)

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019