delorie.com/archives/browse.cgi | search |
At 02:49 PM 7/17/2002 -0400, Jason Tishler wrote: >Your patch works great! Will you be submitting it (or a variation) for >consideration? > Corinna, what do you think? You wrote: if (!GetPDC()) FAIL; if (!get_domain_groups_of_account()) FAIL; if (!get_local_groups_of_account()) FAIL; if (!has_primary_group) <- from setgid() get_primary_group_of_account(); get_supplementary_groups_from_etc_group(); We *could* change it this way to succeed more often: GetPDC(); if (has_pdc) { get_domain_groups_of_account(); get_local_groups_of_account(); if (!has_primary_group) get_primary_group_of_account(); } if (!has_primary_group) get_primary_group_from_etc_passwd(); get_supplementary_groups_from_etc_group(); What the patch is doing is: GetPDC(); if (has_pdc) { get_domain_groups_of_account(); } get_primary_group_from_etc_passwd(); get_supplementary_groups_from_etc_group(); get_local_groups_of_account(); add primary group passed as arg <- from setgid() - The group from passwd is added unconditionally because in Windows the primary group must be a group (either global or local) in the token, and will always be added anyway if a DC is reachable (assuming the passwd group is the Windows primary group, e.g. as built by mkpasswd). That will greatly help in most cases, without editing /etc/group - That group and the supplementary groups are looked up before get_local_groups() because membership in a global group can induce membership in local groups. So /etc/group should only be edited to add membership in global groups (if any different from the passwd group). That deviates from traditional Unix where group membership is never induced, but the main reason to use supplementary groups in Cygwin is to handle the case where the DC is unreachable (should mkgroup do it automagically?) and following Windows logic seems appropriate. - The primary group passed as arg is added last (if not yet present), so as to avoid inducing extra memberships in local groups (thus respecting Unix tradition). That's important when that group is special, e.g. "mail". We don't want unexpected side effects. - Should we add an informational system_printf() if the DC can't be looked up? I have researched cached credentials. That feature can be turned off (it's a security risk), and by default applies only to the last 10 distinct logins. Thus it can't be relied on. Somebody already asked where the info was kept (on a number of lists) but never got any answer. I also found (on Win2000) HKEY_USERS\S-1-5-21-XXX\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership It has the right info, apparently updated regularly. But it can be tampered with by the user (?) and doesn't seem to be the source of the group info for logons. Should it be used by Cygwin? Pierre
webmaster | delorie software privacy |
Copyright © 2019 by DJ Delorie | Updated Jul 2019 |