ntsec-patch 14

Corinna Vinschen corinna@vinschen.de
Tue Oct 5 03:21:00 GMT 1999


I have patched ntsec so, that SIDs are used, that were previously
saved in /etc/passwd and /etc/group. This has following advantages:

- Correct working ntsec in domain environments.

- Non-login accounts (users _and_ groups) may get another name in
  /etc/passwd and /etc/group files than their NT account name.
  The new name is transparently used by applications (so chown,
  chgrp, ls -l, etc. use them now),
  instead of

  No problem if running in console window,
  BUT: If you need the account to login via telnet, ssh or similar
  the login name _must_ be the NT user name.

- Cygwin UIDs and GIDs are now not necessarily the RID part of the
  instead of
- As with U*X systems, UIDs and GIDs numbering scheme now don't
  influence each other, so it's possible to have same Id's for a
  user and a group,
	root::0:0:...		# former 'administrator::500:544:...'

	root::0:		# former 'administrators::544:'

Disadvantages, if you like to use the new features:
- /etc/passwd: The pw_gecos field has to contain a SID as the last
  element of the comma separated list.
- /etc/group: The gr_passwd (former unused) has to contain a SID.

If no SIDs are found in /etc/passwd and /etc/group, ntsec acts like
the previous version.

The SIDs are saved in standard WinNT notation (S-1-5-32-...)
the utilities mkpasswd and mkgroup are patched, to support the new

- mkpasswd and mkgroup generate SIDs by default. This behaviour may
  be switched off by the new commandline option `-s' or `--no-sids'.

Moreover, mkpasswd generates the home dir path with the function
cygwin_conv_to_posix_path(), so mount points are used now. This
behaviour may be changed to `/cygdrive/<Driveletter>' by using the
commandline option `-m' or `--no-mount'.

Another new feature:

uinfo.cc(getlogin) now uses a function uinfo.cc(internal_getlogin)
that asks for the users domain and logon server by using the
netapi32 function `NetWkstaUserGetInfo()'. These infos are saved in
the pinfo structure `myself'. Later calls to security.cc(lookup_name)
use them to get correct account information.
Moreover, the users SID is retrieved and saved in myself, so many
calls to lookup_name while process creation are avoidable:
ntsec should be objectively faster than before.
Unfortunately, the used netapi32 functions are not implemented under
Win9X, so netapi32.dll is dynamically loaded only under NT and W2K.

The calls to get_admin_sid(), get_world_sid() and get_system_sid()
are deleted from dcrt0.cc(dll_crt0_1). These functions don't fragment
the heap anymore. The new method of SID creation don't allocate
heap space dynamically.

This patch needs the lm-header-patch, send at Oct 2, 1999.



Thu Oct 5 11:45:00 1999  Corinna Vinschen  <corinna@vinschen.de>

	* dcrt0.cc (dll_crt0_1): Calls to get_WHOEVER_sid deleted.
	Call to uinfo_init() moved to the end of the function.
	* fhandler.cc (get_file_owner): Call to get_id_from_sid()
	substituted by call to get_uid_from_sid().
	(get_file_group): Call to get_id_from_sid() substituted by
	call to get_gid_from_sid().
	* fork.cc (fork): Copy new pinfo members to child.
	* grp.cc (parse_grp): Rewritten. Saves gr_passwd and all
	user names in gr_mem.
	(read_etc_group): Variable `group_sem' avoids endless loop.
	* passwd.cc (read_etc_passwd): Variable `passwd_sem' avoids
	endless loop.
	* security.cc (get_sid): New function to generate SID from
	int values.
	(get_ssid): New function to generate SID from string.
	(get_pw_sid): New function to generate SID from pw_gecos
	(get_gr_sid): New function to generate SID from gr_passwd
	(get_admin_sid): Rewritten to avoid using heap space.
	(get_system_sid): Ditto.
	(get_creator_owner_sid): Ditto.
	(get_world_sid): Ditto.
	(get_id_from_sid): Tries to read SIDs from /etc/passwd or
	/etc/group files before using RID or Lookup... function.
	(legal_sid_type): New function.
	(lookup_name): Rewritten to use the logon server info,
	if any.
	(alloc_sd): Tries to use SID from /etc/passwd and /etc/group
	files before call to lookup_name().
	(alloc_sd): New parameter for logon server.
	(set_nt_attribute): Ditto.
	(set_file_attribute): Ditto.
	* shared.cc (sec_user): If SID is saved in myself, use it
	instead of calling lookup_name().
	* shared.h: struct pinfo got extended user information.
	* spawn.cc (spawn_guts): method for forcing reread /etc
	files changed.
	(_spawnve): Copy new pinfo members to child.
	* syscalls.cc (chown): Changed call to set_file_attribute().
	(chmod): Ditto.
	* uinfo.cc (internal_getlogin): New function.
	(uinfo_init): Calls internal_getlogin() now.
	(getlogin): Uses myself->username now.
	* winsup.h: extern HANDLE netapi32_handle;
	Changed prototypes for set_file_attribute(), lookup_name(),
	New inline functions get_uid_from_sid() and get_gid_from_sid().
	* utils/mkgroup.c: Adapted to the new ntsec features.
	* utils/mkpasswd.c: Ditto.

More information about the Cygwin-developers mailing list