Corinna or Pierre please comment? [jason@tishler.net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]

Pierre A. Humblet Pierre.Humblet@ieee.org
Wed Jul 17 08:02:00 GMT 2002


Corinna Vinschen wrote:
> 
>  So you have this information as soon as
> you logon locally or you logon via ssh w/ password since that's
> running a LogonUser() call which is nearly the same as logging in
> locally.
> 
> Really, I have no idea how to do that. 

The info is hidden somehere. Could it be in the registry?
I will poke around and hope for luck.

> As I said, the old way
> worked by returning *wrong* information.  It's not a choice to
> go back to that implementation.

Right. But there is the possibility of ignoring the DC unavailability
and relying on the user to set /etc/group to provide the missing info.
In fact we could lookup the gid from /etc/passwd and the supplementary 
groups before looking up the local Windows groups (so the user doesn't 
need to set them up, only the domain groups must be edited).
In Jason's case the gid from passwd (10513) is all he needs, so 
everything should work fine without editing /etc/group at all.
His case is typical, but there will be exceptions.

Attached is an experimental patch, not fully tested. 
Jason, are you set up to make cygwin1.dll?

Pierre
-------------- next part --------------
--- security.cc.orig	2002-07-16 21:45:52.000000000 -0400
+++ security.cc	2002-07-16 21:56:04.000000000 -0400
@@ -449,33 +449,33 @@
   return retval;
 }
 
-static int
-get_supplementary_group_sidlist (const char *username, cygsidlist &grp_list)
+static void
+get_unix_group_sidlist (struct passwd * pw, cygsidlist &grp_list)
 {
   struct __group32 *gr;
-  int cnt = 0;
+  cygsid gsid;
 
   for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx)
     {
-      if (gr->gr_mem)
+      if (gr->gr_gid == pw->pw_gid)
+        {
+	  if (gsid.getfromgr (gr) && !grp_list.contains (gsid))
+	    grp_list += gsid;
+	}
+      else if (gr->gr_mem)
 	for (int gi = 0; gr->gr_mem[gi]; ++gi)
-	  if (strcasematch (username, gr->gr_mem[gi]))
+	  if (strcasematch (pw->pw_name, gr->gr_mem[gi]))
 	    {
-	      if (gr->gr_passwd && *gr->gr_passwd)
-		{
-		  cygsid sid (gr->gr_passwd);
-		  if ((PSID)sid && grp_list.add (sid))
-		    ++cnt;
-		}
+	      if (gsid.getfromgr (gr) && !grp_list.contains (gsid))
+		grp_list += gsid;
 	      break;
 	    }
     }
-  return cnt;
 }
 
 static BOOL
 get_group_sidlist (cygsidlist &grp_list,
-		  cygsid &usersid, cygsid &pgrpsid, struct passwd * pw,
+		   cygsid &usersid, cygsid &pgrpsid, struct passwd * pw,
 		   PTOKEN_GROUPS my_grps, LUID auth_luid, int &auth_pos,
 		   BOOL * special_pgrp)
 {
@@ -488,16 +488,14 @@
   auth_pos = -1;
 
   grp_list += well_known_world_sid;
+  grp_list += well_known_authenticated_users_sid;
   if (usersid == well_known_system_sid)
     {
-      grp_list += well_known_authenticated_users_sid;
       grp_list += well_known_admins_sid;
+      get_unix_group_sidlist (pw, grp_list);
     }
   else
     {
-      extract_nt_dom_user (pw, domain, user);
-      if (!get_logon_server (domain, server, wserver))
-	return FALSE;
       if (my_grps)
 	{
 	  if (sid_in_token_groups (my_grps, well_known_local_sid))
@@ -512,13 +510,11 @@
 	    grp_list += well_known_interactive_sid;
 	  if (sid_in_token_groups (my_grps, well_known_service_sid))
 	    grp_list += well_known_service_sid;
-	  grp_list += well_known_authenticated_users_sid;
 	}
       else
 	{
 	  grp_list += well_known_local_sid;
 	  grp_list += well_known_interactive_sid;
-	  grp_list += well_known_authenticated_users_sid;
 	}
       if (auth_luid.QuadPart != 999) /* != SYSTEM_LUID */
 	{
@@ -528,8 +524,15 @@
 	  grp_list += buf;
 	  auth_pos = grp_list.count - 1;
 	}
-      if (!get_user_groups (wserver, grp_list, user, domain) ||
-	  !get_user_local_groups (grp_list, usersid))
+      get_unix_group_sidlist (pw, grp_list);
+      extract_nt_dom_user (pw, domain, user);
+      /* Fail silently if DC is not reachable */
+      if (get_logon_server (domain, server, wserver))
+        {
+	  if (!get_user_groups (wserver, grp_list, user, domain))
+	  return FALSE;
+	}
+      if (!get_user_local_groups (grp_list, usersid))
 	return FALSE;
     }
   /* special_pgrp true if pgrpsid is not null and not in normal groups */
@@ -540,12 +543,6 @@
     }
   else
     *special_pgrp = TRUE;
-  if (pw->pw_name && get_supplementary_group_sidlist (pw->pw_name, sup_list))
-    {
-      for (int i = 0; i < sup_list.count; ++i)
-	if (!grp_list.contains (sup_list.sids[i]))
-	  grp_list += sup_list.sids[i];
-    }
   if (!grp_list.contains (pgrpsid))
     grp_list += pgrpsid;
   else


More information about the Cygwin-developers mailing list