Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT cygwin DOT com Delivered-To: mailing list cygwin-developers AT cygwin DOT com Message-ID: <3D358707.509E8CD3@ieee.org> Date: Wed, 17 Jul 2002 11:02:31 -0400 From: "Pierre A. Humblet" X-Accept-Language: en,pdf MIME-Version: 1.0 To: cygwin-developers AT cygwin DOT com, jason AT tishler DOT net Subject: Re: Corinna or Pierre please comment? [jason AT tishler DOT net: Re: setuid() problem when disconnected from PDC under 1.3.12-2] References: <20020713165415 DOT GB30143 AT redhat DOT com> <20020715110733 DOT B6932 AT cygbert DOT vinschen DOT de> <20020715125051 DOT GC2372 AT tishler DOT net> <20020715145826 DOT H6932 AT cygbert DOT vinschen DOT de> <20020715155951 DOT GG2372 AT tishler DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20020715162535 DOT 0080c900 AT mail DOT attbi DOT com> <20020716191735 DOT GB1692 AT tishler DOT net> <20020717121704 DOT GA1260 AT tishler DOT net> <20020717142259 DOT E6932 AT cygbert DOT vinschen DOT de> <20020717123351 DOT GB1260 AT tishler DOT net> <20020717145642 DOT G6932 AT cygbert DOT vinschen DOT de> Content-Type: multipart/mixed; boundary="------------09BDCB6C45565BCAA382365C" This is a multi-part message in MIME format. --------------09BDCB6C45565BCAA382365C Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Corinna Vinschen wrote: > > So you have this information as soon as > you logon locally or you logon via ssh w/ password since that's > running a LogonUser() call which is nearly the same as logging in > locally. > > Really, I have no idea how to do that. The info is hidden somehere. Could it be in the registry? I will poke around and hope for luck. > As I said, the old way > worked by returning *wrong* information. It's not a choice to > go back to that implementation. Right. But there is the possibility of ignoring the DC unavailability and relying on the user to set /etc/group to provide the missing info. In fact we could lookup the gid from /etc/passwd and the supplementary groups before looking up the local Windows groups (so the user doesn't need to set them up, only the domain groups must be edited). In Jason's case the gid from passwd (10513) is all he needs, so everything should work fine without editing /etc/group at all. His case is typical, but there will be exceptions. Attached is an experimental patch, not fully tested. Jason, are you set up to make cygwin1.dll? Pierre --------------09BDCB6C45565BCAA382365C Content-Type: text/plain; charset=us-ascii; name="security.cc.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="security.cc.diff" --- security.cc.orig 2002-07-16 21:45:52.000000000 -0400 +++ security.cc 2002-07-16 21:56:04.000000000 -0400 @@ -449,33 +449,33 @@ return retval; } -static int -get_supplementary_group_sidlist (const char *username, cygsidlist &grp_list) +static void +get_unix_group_sidlist (struct passwd * pw, cygsidlist &grp_list) { struct __group32 *gr; - int cnt = 0; + cygsid gsid; for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx) { - if (gr->gr_mem) + if (gr->gr_gid == pw->pw_gid) + { + if (gsid.getfromgr (gr) && !grp_list.contains (gsid)) + grp_list += gsid; + } + else if (gr->gr_mem) for (int gi = 0; gr->gr_mem[gi]; ++gi) - if (strcasematch (username, gr->gr_mem[gi])) + if (strcasematch (pw->pw_name, gr->gr_mem[gi])) { - if (gr->gr_passwd && *gr->gr_passwd) - { - cygsid sid (gr->gr_passwd); - if ((PSID)sid && grp_list.add (sid)) - ++cnt; - } + if (gsid.getfromgr (gr) && !grp_list.contains (gsid)) + grp_list += gsid; break; } } - return cnt; } static BOOL get_group_sidlist (cygsidlist &grp_list, - cygsid &usersid, cygsid &pgrpsid, struct passwd * pw, + cygsid &usersid, cygsid &pgrpsid, struct passwd * pw, PTOKEN_GROUPS my_grps, LUID auth_luid, int &auth_pos, BOOL * special_pgrp) { @@ -488,16 +488,14 @@ auth_pos = -1; grp_list += well_known_world_sid; + grp_list += well_known_authenticated_users_sid; if (usersid == well_known_system_sid) { - grp_list += well_known_authenticated_users_sid; grp_list += well_known_admins_sid; + get_unix_group_sidlist (pw, grp_list); } else { - extract_nt_dom_user (pw, domain, user); - if (!get_logon_server (domain, server, wserver)) - return FALSE; if (my_grps) { if (sid_in_token_groups (my_grps, well_known_local_sid)) @@ -512,13 +510,11 @@ grp_list += well_known_interactive_sid; if (sid_in_token_groups (my_grps, well_known_service_sid)) grp_list += well_known_service_sid; - grp_list += well_known_authenticated_users_sid; } else { grp_list += well_known_local_sid; grp_list += well_known_interactive_sid; - grp_list += well_known_authenticated_users_sid; } if (auth_luid.QuadPart != 999) /* != SYSTEM_LUID */ { @@ -528,8 +524,15 @@ grp_list += buf; auth_pos = grp_list.count - 1; } - if (!get_user_groups (wserver, grp_list, user, domain) || - !get_user_local_groups (grp_list, usersid)) + get_unix_group_sidlist (pw, grp_list); + extract_nt_dom_user (pw, domain, user); + /* Fail silently if DC is not reachable */ + if (get_logon_server (domain, server, wserver)) + { + if (!get_user_groups (wserver, grp_list, user, domain)) + return FALSE; + } + if (!get_user_local_groups (grp_list, usersid)) return FALSE; } /* special_pgrp true if pgrpsid is not null and not in normal groups */ @@ -540,12 +543,6 @@ } else *special_pgrp = TRUE; - if (pw->pw_name && get_supplementary_group_sidlist (pw->pw_name, sup_list)) - { - for (int i = 0; i < sup_list.count; ++i) - if (!grp_list.contains (sup_list.sids[i])) - grp_list += sup_list.sids[i]; - } if (!grp_list.contains (pgrpsid)) grp_list += pgrpsid; else --------------09BDCB6C45565BCAA382365C--