Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT cygwin DOT com>
List-Help: <mailto:cygwin-developers-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-developers AT cygwin DOT com
Date: Mon, 15 Jul 2002 11:07:33 +0200
From: Corinna Vinschen <vinschen AT redhat DOT com>
To: cygwin-developers AT cygwin DOT com
Subject: Re: Corinna or Pierre please comment? [jason AT tishler DOT net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]
Message-ID: <20020715110733.B6932@cygbert.vinschen.de>
Reply-To: cygwin-developers AT cygwin DOT com
Mail-Followup-To: cygwin-developers AT cygwin DOT com
References: <20020713165415 DOT GB30143 AT redhat DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020713165415.GB30143@redhat.com>
User-Agent: Mutt/1.3.22.1i

> ----- Forwarded message from Jason Tishler <jason AT tishler DOT net> -----
> 2305210 2457011 [main] setuid 2672 seterrno_from_win_error: ../../../../src/winsup/cygwin/security.cc:278 windows error 2453
>                                         ^^^^
>                                         ****
>   384 2457395 [main] setuid 2672 geterrno_from_win_error: unknown windows error 2453, setting errno to 13
> 
> Note that the Windows error 2453 corresponds to NERR_DCNotFound.
> [...]
>   if ((ret = NetGetDCName (NULL, wdomain, (LPBYTE *) &buf)) == STATUS_SUCCESS)

Since 1.3.10 this function asked the Lsa for the PDC but that returned
the DC of the machine rather than the DC of the account.  So that would
have been correct only if the machine and the user are in the same
domain.  Another difference is, if the user exists as a local and as a
domain account, the old way to do things would have returned information
for the local account when the DC wasn't available while the current
implementation returns an error now.

So, basically the current implementation is more correct than the old
implementation.  I don't see how to make it better.  Except if you're
willing to turn down the need for the correct group membership when
logging in to the machine.  If we ignore the error, you could get a
user token with all groups mentioned as primary or supplemantary 
group of your account in /etc/passwd and /etc/group.  What I mean is,
the current code is basically creating the group list in your token
this way:

  if (!GetPDC())
    FAIL;
  if (!get_domain_groups_of_account())
    FAIL;
  if (!get_local_groups_of_account())
    FAIL;
  if (!has_primary_group)        <- from setgid()
    get_primary_group_of_account();
  get_supplementary_groups_from_etc_group();

We *could* change it this way to succeed more often:

  GetPDC();
  if (has_pdc)
    {
      get_domain_groups_of_account();
      get_local_groups_of_account();
      if (!has_primary_group)
	get_primary_group_of_account();
    }
  if (!has_primary_group)
    get_primary_group_from_etc_passwd();
  get_supplementary_groups_from_etc_group();


That could leave you with a somewhat restricted token, though.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.