Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-developers-owner AT cygwin DOT com Delivered-To: mailing list cygwin-developers AT cygwin DOT com Message-Id: <3.0.5.32.20020717222627.007fd3e0@mail.attbi.com> X-Sender: phumblet AT mail DOT attbi DOT com Date: Wed, 17 Jul 2002 22:26:27 -0400 To: Jason Tishler , Cygwin-Developers From: "Pierre A. Humblet" Subject: Re: Corinna or Pierre please comment? [jason AT tishler DOT net: Re: setuid() problem when disconnected from PDC under 1.3.12-2] In-Reply-To: <20020717184949.GA440@tishler.net> References: <20020717163922 DOT GD1260 AT tishler DOT net> <20020715145826 DOT H6932 AT cygbert DOT vinschen DOT de> <20020715155951 DOT GG2372 AT tishler DOT net> <3 DOT 0 DOT 5 DOT 32 DOT 20020715162535 DOT 0080c900 AT mail DOT attbi DOT com> <20020716191735 DOT GB1692 AT tishler DOT net> <20020717121704 DOT GA1260 AT tishler DOT net> <20020717142259 DOT E6932 AT cygbert DOT vinschen DOT de> <20020717123351 DOT GB1260 AT tishler DOT net> <20020717145642 DOT G6932 AT cygbert DOT vinschen DOT de> <3D358707 DOT 509E8CD3 AT ieee DOT org> <20020717163922 DOT GD1260 AT tishler DOT net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" At 02:49 PM 7/17/2002 -0400, Jason Tishler wrote: >Your patch works great! Will you be submitting it (or a variation) for >consideration? > Corinna, what do you think? You wrote: if (!GetPDC()) FAIL; if (!get_domain_groups_of_account()) FAIL; if (!get_local_groups_of_account()) FAIL; if (!has_primary_group) <- from setgid() get_primary_group_of_account(); get_supplementary_groups_from_etc_group(); We *could* change it this way to succeed more often: GetPDC(); if (has_pdc) { get_domain_groups_of_account(); get_local_groups_of_account(); if (!has_primary_group) get_primary_group_of_account(); } if (!has_primary_group) get_primary_group_from_etc_passwd(); get_supplementary_groups_from_etc_group(); What the patch is doing is: GetPDC(); if (has_pdc) { get_domain_groups_of_account(); } get_primary_group_from_etc_passwd(); get_supplementary_groups_from_etc_group(); get_local_groups_of_account(); add primary group passed as arg <- from setgid() - The group from passwd is added unconditionally because in Windows the primary group must be a group (either global or local) in the token, and will always be added anyway if a DC is reachable (assuming the passwd group is the Windows primary group, e.g. as built by mkpasswd). That will greatly help in most cases, without editing /etc/group - That group and the supplementary groups are looked up before get_local_groups() because membership in a global group can induce membership in local groups. So /etc/group should only be edited to add membership in global groups (if any different from the passwd group). That deviates from traditional Unix where group membership is never induced, but the main reason to use supplementary groups in Cygwin is to handle the case where the DC is unreachable (should mkgroup do it automagically?) and following Windows logic seems appropriate. - The primary group passed as arg is added last (if not yet present), so as to avoid inducing extra memberships in local groups (thus respecting Unix tradition). That's important when that group is special, e.g. "mail". We don't want unexpected side effects. - Should we add an informational system_printf() if the DC can't be looked up? I have researched cached credentials. That feature can be turned off (it's a security risk), and by default applies only to the last 10 distinct logins. Thus it can't be relied on. Somebody already asked where the info was kept (on a number of lists) but never got any answer. I also found (on Win2000) HKEY_USERS\S-1-5-21-XXX\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership It has the right info, apparently updated regularly. But it can be tampered with by the user (?) and doesn't seem to be the source of the group info for logons. Should it be used by Cygwin? Pierre