Mail Archives: cygwin-developers/2002/07/17/11:02:58
This is a multi-part message in MIME format.
--------------09BDCB6C45565BCAA382365C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Corinna Vinschen wrote:
>
> So you have this information as soon as
> you logon locally or you logon via ssh w/ password since that's
> running a LogonUser() call which is nearly the same as logging in
> locally.
>
> Really, I have no idea how to do that.
The info is hidden somehere. Could it be in the registry?
I will poke around and hope for luck.
> As I said, the old way
> worked by returning *wrong* information. It's not a choice to
> go back to that implementation.
Right. But there is the possibility of ignoring the DC unavailability
and relying on the user to set /etc/group to provide the missing info.
In fact we could lookup the gid from /etc/passwd and the supplementary
groups before looking up the local Windows groups (so the user doesn't
need to set them up, only the domain groups must be edited).
In Jason's case the gid from passwd (10513) is all he needs, so
everything should work fine without editing /etc/group at all.
His case is typical, but there will be exceptions.
Attached is an experimental patch, not fully tested.
Jason, are you set up to make cygwin1.dll?
Pierre
--------------09BDCB6C45565BCAA382365C
Content-Type: text/plain; charset=us-ascii;
name="security.cc.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="security.cc.diff"
--- security.cc.orig 2002-07-16 21:45:52.000000000 -0400
+++ security.cc 2002-07-16 21:56:04.000000000 -0400
@@ -449,33 +449,33 @@
return retval;
}
-static int
-get_supplementary_group_sidlist (const char *username, cygsidlist &grp_list)
+static void
+get_unix_group_sidlist (struct passwd * pw, cygsidlist &grp_list)
{
struct __group32 *gr;
- int cnt = 0;
+ cygsid gsid;
for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx)
{
- if (gr->gr_mem)
+ if (gr->gr_gid == pw->pw_gid)
+ {
+ if (gsid.getfromgr (gr) && !grp_list.contains (gsid))
+ grp_list += gsid;
+ }
+ else if (gr->gr_mem)
for (int gi = 0; gr->gr_mem[gi]; ++gi)
- if (strcasematch (username, gr->gr_mem[gi]))
+ if (strcasematch (pw->pw_name, gr->gr_mem[gi]))
{
- if (gr->gr_passwd && *gr->gr_passwd)
- {
- cygsid sid (gr->gr_passwd);
- if ((PSID)sid && grp_list.add (sid))
- ++cnt;
- }
+ if (gsid.getfromgr (gr) && !grp_list.contains (gsid))
+ grp_list += gsid;
break;
}
}
- return cnt;
}
static BOOL
get_group_sidlist (cygsidlist &grp_list,
- cygsid &usersid, cygsid &pgrpsid, struct passwd * pw,
+ cygsid &usersid, cygsid &pgrpsid, struct passwd * pw,
PTOKEN_GROUPS my_grps, LUID auth_luid, int &auth_pos,
BOOL * special_pgrp)
{
@@ -488,16 +488,14 @@
auth_pos = -1;
grp_list += well_known_world_sid;
+ grp_list += well_known_authenticated_users_sid;
if (usersid == well_known_system_sid)
{
- grp_list += well_known_authenticated_users_sid;
grp_list += well_known_admins_sid;
+ get_unix_group_sidlist (pw, grp_list);
}
else
{
- extract_nt_dom_user (pw, domain, user);
- if (!get_logon_server (domain, server, wserver))
- return FALSE;
if (my_grps)
{
if (sid_in_token_groups (my_grps, well_known_local_sid))
@@ -512,13 +510,11 @@
grp_list += well_known_interactive_sid;
if (sid_in_token_groups (my_grps, well_known_service_sid))
grp_list += well_known_service_sid;
- grp_list += well_known_authenticated_users_sid;
}
else
{
grp_list += well_known_local_sid;
grp_list += well_known_interactive_sid;
- grp_list += well_known_authenticated_users_sid;
}
if (auth_luid.QuadPart != 999) /* != SYSTEM_LUID */
{
@@ -528,8 +524,15 @@
grp_list += buf;
auth_pos = grp_list.count - 1;
}
- if (!get_user_groups (wserver, grp_list, user, domain) ||
- !get_user_local_groups (grp_list, usersid))
+ get_unix_group_sidlist (pw, grp_list);
+ extract_nt_dom_user (pw, domain, user);
+ /* Fail silently if DC is not reachable */
+ if (get_logon_server (domain, server, wserver))
+ {
+ if (!get_user_groups (wserver, grp_list, user, domain))
+ return FALSE;
+ }
+ if (!get_user_local_groups (grp_list, usersid))
return FALSE;
}
/* special_pgrp true if pgrpsid is not null and not in normal groups */
@@ -540,12 +543,6 @@
}
else
*special_pgrp = TRUE;
- if (pw->pw_name && get_supplementary_group_sidlist (pw->pw_name, sup_list))
- {
- for (int i = 0; i < sup_list.count; ++i)
- if (!grp_list.contains (sup_list.sids[i]))
- grp_list += sup_list.sids[i];
- }
if (!grp_list.contains (pgrpsid))
grp_list += pgrpsid;
else
--------------09BDCB6C45565BCAA382365C--
- Raw text -