ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member
Pierre A. Humblet
Pierre.Humblet@ieee.org
Thu Nov 14 06:29:00 GMT 2002
Corinna Vinschen wrote:
>
Hello, Corinna
>
> Isn't the impersonation token automatically read by OpenProcessToken()
> when an impersonation took place?
I don't think so.
> > Thus I suggest that we use the method of the patch for now, and think
> > of improving is_grp_member if/as we get specific reports of problems.
> > What do you think?
>
> Do you mean my one liner? If so, I agree. My patch is just a starting
> point.
- Has anybody reported problems with incorrect owner modes for a file owner
different from the current process user? If not, I wouldn't even start
writing code for it.
We know it can't work all the time, and that to work assuming the default
group membership, it needs mkgroup -u (or PDC lookup). Yesterday I checked
that at a medium size company (~ 150 persons). There where a total of
1047 names in the gr_mem fields. getgroups32 scans them all, every time.
That would be for every file stat.
- I am a little bit confused by your patch. Your intention is to skip the token
lookup if the file uid isn't that of the current user. You then fall to the
bottom of getgroups32. But there the gid is ALWAYS included in the group
list (because in the context of getgroups the gid is that of the user, not
that of a file). Thus your small patch will always report that the uid is
a member of the gid.
> Could you then please resend the parts of your #1 patch we agreed upon?
OK. Do you want to call is_grp_member all the time or only if the current user
is the file owner?
Pierre
More information about the Cygwin-patches
mailing list