delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin-developers/2002/07/17/22:33:27

Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT cygwin DOT com>
List-Help: <mailto:cygwin-developers-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-developers AT cygwin DOT com
Message-Id: <3.0.5.32.20020717222627.007fd3e0@mail.attbi.com>
X-Sender: phumblet AT mail DOT attbi DOT com
Date: Wed, 17 Jul 2002 22:26:27 -0400
To: Jason Tishler <jason AT tishler DOT net>,
Cygwin-Developers <cygwin-developers AT cygwin DOT com>
From: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
Subject: Re: Corinna or Pierre please comment? [jason AT tishler DOT net: Re:
setuid() problem when disconnected from PDC under 1.3.12-2]
In-Reply-To: <20020717184949.GA440@tishler.net>
References: <20020717163922 DOT GD1260 AT tishler DOT net>
<20020715145826 DOT H6932 AT cygbert DOT vinschen DOT de>
<20020715155951 DOT GG2372 AT tishler DOT net>
<3 DOT 0 DOT 5 DOT 32 DOT 20020715162535 DOT 0080c900 AT mail DOT attbi DOT com>
<20020716191735 DOT GB1692 AT tishler DOT net>
<20020717121704 DOT GA1260 AT tishler DOT net>
<20020717142259 DOT E6932 AT cygbert DOT vinschen DOT de>
<20020717123351 DOT GB1260 AT tishler DOT net>
<20020717145642 DOT G6932 AT cygbert DOT vinschen DOT de>
<3D358707 DOT 509E8CD3 AT ieee DOT org>
<20020717163922 DOT GD1260 AT tishler DOT net>
Mime-Version: 1.0

At 02:49 PM 7/17/2002 -0400, Jason Tishler wrote:
>Your patch works great!  Will you be submitting it (or a variation) for
>consideration?
>

Corinna, what do you think?

You wrote:
if (!GetPDC())
    FAIL;
  if (!get_domain_groups_of_account())
    FAIL;
  if (!get_local_groups_of_account())
    FAIL;
  if (!has_primary_group)        <- from setgid()
    get_primary_group_of_account();
  get_supplementary_groups_from_etc_group();

We *could* change it this way to succeed more often:

  GetPDC();
  if (has_pdc)
    {
      get_domain_groups_of_account();
      get_local_groups_of_account();
      if (!has_primary_group)
	get_primary_group_of_account();
    }
  if (!has_primary_group)
    get_primary_group_from_etc_passwd();
  get_supplementary_groups_from_etc_group();

What the patch is doing is:
 GetPDC();
  if (has_pdc)
    {
      get_domain_groups_of_account();
    }
  get_primary_group_from_etc_passwd();
  get_supplementary_groups_from_etc_group();
  get_local_groups_of_account();
  add primary group passed as arg     <- from setgid()
 
- The group from passwd is added unconditionally because in Windows
the primary group must be a group (either global or local) in the token,
and will always be added anyway if a DC is reachable (assuming the 
passwd group is the Windows primary group, e.g. as built by mkpasswd).
That will greatly help in most cases, without editing /etc/group
- That group and the supplementary groups are looked up before 
get_local_groups() because membership in a global group can induce
membership in local groups. So /etc/group should only be edited
to add membership in global groups (if any different from the passwd group).
That deviates from traditional Unix where group membership is never
induced, but the main reason to use supplementary groups in Cygwin 
is to handle the case where the DC is unreachable (should mkgroup do it
automagically?) and following Windows logic seems appropriate.
- The primary group passed as arg is added last (if not yet present), 
so as to avoid inducing extra memberships in local groups (thus
respecting Unix tradition). That's important when that group is special,
e.g. "mail". We don't want unexpected side effects.
- Should we add an informational system_printf() if the DC can't be 
looked up? 

I have researched cached credentials. That feature can be turned off
(it's a security risk), and by default applies only to the last 10 
distinct logins. Thus it can't be relied on. Somebody already asked 
where the info was kept (on a number of  lists) but never got any answer.
I also found (on Win2000) 
HKEY_USERS\S-1-5-21-XXX\Software\Microsoft\Windows\CurrentVersion\Group
Policy\GroupMembership
It has the right info, apparently updated regularly. But it can be tampered
with by the user (?) and doesn't seem to be the source of the group info
for logons. Should it be used by Cygwin? 

Pierre


- Raw text -


  webmaster     delorie software   privacy  
  Copyright 2019   by DJ Delorie     Updated Jul 2019