This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]

From: "Pierre A. Humblet" <Pierre dot Humblet at ieee dot org>
To: Jason Tishler <jason at tishler dot net>,Cygwin-Developers <cygwin-developers at cygwin dot com>
Date: Wed, 17 Jul 2002 22:26:27 -0400
Subject: Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]
References: <20020717163922.GD1260@tishler.net><20020715145826.H6932@cygbert.vinschen.de><20020715155951.GG2372@tishler.net><3.0.5.32.20020715162535.0080c900@mail.attbi.com><20020716191735.GB1692@tishler.net><20020717121704.GA1260@tishler.net><20020717142259.E6932@cygbert.vinschen.de><20020717123351.GB1260@tishler.net><20020717145642.G6932@cygbert.vinschen.de><3D358707.509E8CD3@ieee.org><20020717163922.GD1260@tishler.net>

At 02:49 PM 7/17/2002 -0400, Jason Tishler wrote:
>Your patch works great!  Will you be submitting it (or a variation) for
>consideration?
>

Corinna, what do you think?

You wrote:
if (!GetPDC())
    FAIL;
  if (!get_domain_groups_of_account())
    FAIL;
  if (!get_local_groups_of_account())
    FAIL;
  if (!has_primary_group)        <- from setgid()
    get_primary_group_of_account();
  get_supplementary_groups_from_etc_group();

We *could* change it this way to succeed more often:

  GetPDC();
  if (has_pdc)
    {
      get_domain_groups_of_account();
      get_local_groups_of_account();
      if (!has_primary_group)
	get_primary_group_of_account();
    }
  if (!has_primary_group)
    get_primary_group_from_etc_passwd();
  get_supplementary_groups_from_etc_group();

What the patch is doing is:
 GetPDC();
  if (has_pdc)
    {
      get_domain_groups_of_account();
    }
  get_primary_group_from_etc_passwd();
  get_supplementary_groups_from_etc_group();
  get_local_groups_of_account();
  add primary group passed as arg     <- from setgid()
 
- The group from passwd is added unconditionally because in Windows
the primary group must be a group (either global or local) in the token,
and will always be added anyway if a DC is reachable (assuming the 
passwd group is the Windows primary group, e.g. as built by mkpasswd).
That will greatly help in most cases, without editing /etc/group
- That group and the supplementary groups are looked up before 
get_local_groups() because membership in a global group can induce
membership in local groups. So /etc/group should only be edited
to add membership in global groups (if any different from the passwd group).
That deviates from traditional Unix where group membership is never
induced, but the main reason to use supplementary groups in Cygwin 
is to handle the case where the DC is unreachable (should mkgroup do it
automagically?) and following Windows logic seems appropriate.
- The primary group passed as arg is added last (if not yet present), 
so as to avoid inducing extra memberships in local groups (thus
respecting Unix tradition). That's important when that group is special,
e.g. "mail". We don't want unexpected side effects.
- Should we add an informational system_printf() if the DC can't be 
looked up? 

I have researched cached credentials. That feature can be turned off
(it's a security risk), and by default applies only to the last 10 
distinct logins. Thus it can't be relied on. Somebody already asked 
where the info was kept (on a number of  lists) but never got any answer.
I also found (on Win2000) 
HKEY_USERS\S-1-5-21-XXX\Software\Microsoft\Windows\CurrentVersion\Group
Policy\GroupMembership
It has the right info, apparently updated regularly. But it can be tampered
with by the user (?) and doesn't seem to be the source of the group info
for logons. Should it be used by Cygwin? 

Pierre

Follow-Ups:
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]
  - From: Corinna Vinschen

References:
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid()problem when disconnected from PDC under 1.3.12-2]
  - From: Jason Tishler
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]
  - From: Corinna Vinschen
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid()problem when disconnected from PDC under 1.3.12-2]
  - From: Jason Tishler
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]
  - From: Pierre A. Humblet
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid()problem when disconnected from PDC under 1.3.12-2]
  - From: Jason Tishler
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid()problem when disconnected from PDC under 1.3.12-2]
  - From: Jason Tishler
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]
  - From: Corinna Vinschen
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid()problem when disconnected from PDC under 1.3.12-2]
  - From: Jason Tishler
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]
  - From: Corinna Vinschen
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]
  - From: Pierre A. Humblet
- Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid()problem when disconnected from PDC under 1.3.12-2]
  - From: Jason Tishler

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]