drew
/
acadia-newlib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* security.cc (lsa2wchar): Suppressed. 

(get_lsa_srv_inf): Suppressed.
	(get_logon_server_and_user_domain): Suppressed.
	(get_logon_server): Essentially new.
	(get_user_groups): Add "domain" argument. Only lookup the
	designated server and use "domain" in LookupAccountName.
	(is_group_member): Simplify the arguments.
	(get_user_local_groups): Simplify the arguments. Do only a
	local lookup. Use "BUILTIN" and local domain in LookupAccountName.
	(get_user_primary_group). Only lookup the designated server.
	(get_group_sidlist): Remove logonserver argument. Do not lookup
	any server for the SYSTEM account.
	(create_token): Delete logonserver and call to get_logon_server.
	Adjust arguments of get_group_sidlist, see above.
	* security.h: Delete declaration of get_logon_server_and_user_domain
	and add declaration of get_logon_server.
	* uinfo.cc (internal_get_login): Call get_logon_server instead of
	get_logon_server_and_user_domain.
This commit is contained in:
Corinna Vinschen 2002-06-03 17:04:03 +00:00
parent 9bd0241009
commit 1eb934b7c5
4 changed files with 114 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
winsup/cygwin/ChangeLog
View File

@ -1,3 +1,24 @@
2002-06-03 Pierre Humblet <pierre.humblet@ieee.org>
* security.cc (lsa2wchar): Suppressed.
(get_lsa_srv_inf): Suppressed.
(get_logon_server_and_user_domain): Suppressed.
(get_logon_server): Essentially new.
(get_user_groups): Add "domain" argument. Only lookup the
designated server and use "domain" in LookupAccountName.
(is_group_member): Simplify the arguments.
(get_user_local_groups): Simplify the arguments. Do only a
local lookup. Use "BUILTIN" and local domain in LookupAccountName.
(get_user_primary_group). Only lookup the designated server.
(get_group_sidlist): Remove logonserver argument. Do not lookup
any server for the SYSTEM account.
(create_token): Delete logonserver and call to get_logon_server.
Adjust arguments of get_group_sidlist, see above.
* security.h: Delete declaration of get_logon_server_and_user_domain
and add declaration of get_logon_server.
* uinfo.cc (internal_get_login): Call get_logon_server instead of
get_logon_server_and_user_domain.
2002-06-02 Christopher Faylor <cgf@redhat.com> 2002-06-02 Christopher Faylor <cgf@redhat.com>
* dtable.cc (handle_to_fn): Use largest match for device. Correctly * dtable.cc (handle_to_fn): Use largest match for device. Correctly

174
winsup/cygwin/security.cc
View File

@ -162,6 +162,7 @@ str2buf2uni (UNICODE_STRING &tgt, WCHAR *buf, const char *srcstr)
sys_mbstowcs (buf, srcstr, tgt.MaximumLength); sys_mbstowcs (buf, srcstr, tgt.MaximumLength);
} }
#if 0 //unused
static void static void
lsa2wchar (WCHAR *tgt, LSA_UNICODE_STRING &src, int size) lsa2wchar (WCHAR *tgt, LSA_UNICODE_STRING &src, int size)
{ {
@ -172,6 +173,7 @@ lsa2wchar (WCHAR *tgt, LSA_UNICODE_STRING &src, int size)
size >>= 1; size >>= 1;
tgt[size] = 0; tgt[size] = 0;
} }
#endif
static void static void
lsa2str (char *tgt, LSA_UNICODE_STRING &src, int size) lsa2str (char *tgt, LSA_UNICODE_STRING &src, int size)
@ -202,6 +204,7 @@ close_local_policy (LSA_HANDLE &lsa)
lsa = INVALID_HANDLE_VALUE; lsa = INVALID_HANDLE_VALUE;
} }
#if 0 // unused
static BOOL static BOOL
get_lsa_srv_inf (LSA_HANDLE lsa, char *logonserver, char *domain) get_lsa_srv_inf (LSA_HANDLE lsa, char *logonserver, char *domain)
{ {
@ -252,40 +255,52 @@ get_lsa_srv_inf (LSA_HANDLE lsa, char *logonserver, char *domain)
NetApiBufferFree (buf); NetApiBufferFree (buf);
return TRUE; return TRUE;
} }
#endif
static BOOL
get_logon_server (LSA_HANDLE lsa, char *logonserver)
{
return get_lsa_srv_inf (lsa, logonserver, NULL);
}
BOOL BOOL
get_logon_server_and_user_domain (char *logonserver, char *userdomain) get_logon_server (const char * domain, char * server, WCHAR *wserver)
{ {
BOOL ret = FALSE; WCHAR wdomain[INTERNET_MAX_HOST_NAME_LENGTH + 1];
LSA_HANDLE lsa = open_local_policy (); NET_API_STATUS ret;
if (lsa != INVALID_HANDLE_VALUE) WCHAR * buf;
DWORD size = INTERNET_MAX_HOST_NAME_LENGTH + 1;
if ((GetComputerNameA(server + 2, &size)) &&
!strcasecmp(domain, server + 2))
{ {
ret = get_lsa_srv_inf (lsa, logonserver, userdomain); server[0] = server[1] = '\\';
close_local_policy (lsa); if (wserver)
sys_mbstowcs (wserver, server, INTERNET_MAX_HOST_NAME_LENGTH + 1);
return TRUE;
} }
return ret;
/* Try to get the primary domain controller for the domain */
sys_mbstowcs (wdomain, domain, INTERNET_MAX_HOST_NAME_LENGTH + 1);
if ((ret = NetGetDCName(NULL, wdomain, (LPBYTE *) &buf)) == STATUS_SUCCESS)
{
sys_wcstombs (server, buf, INTERNET_MAX_HOST_NAME_LENGTH + 1);
if (wserver)
for (WCHAR * ptr1 = buf; (*wserver++ = *ptr1++); ) {}
NetApiBufferFree (buf);
return TRUE;
}
__seterrno_from_win_error (ret);
return FALSE;
} }
static BOOL static BOOL
get_user_groups (WCHAR *wlogonserver, cygsidlist &grp_list, char *user) get_user_groups (WCHAR *wlogonserver, cygsidlist &grp_list, char *user, char * domain)
{ {
char dgroup[INTERNET_MAX_HOST_NAME_LENGTH + GNLEN + 2];
WCHAR wuser[UNLEN + 1]; WCHAR wuser[UNLEN + 1];
sys_mbstowcs (wuser, user, UNLEN + 1); sys_mbstowcs (wuser, user, UNLEN + 1);
LPGROUP_USERS_INFO_0 buf; LPGROUP_USERS_INFO_0 buf;
DWORD cnt, tot; DWORD cnt, tot, len;
NET_API_STATUS ret; NET_API_STATUS ret;
/* Look only on logonserver */
ret = NetUserGetGroups (wlogonserver, wuser, 0, (LPBYTE *) &buf, ret = NetUserGetGroups (wlogonserver, wuser, 0, (LPBYTE *) &buf,
MAX_PREFERRED_LENGTH, &cnt, &tot); MAX_PREFERRED_LENGTH, &cnt, &tot);
if (ret == ERROR_BAD_NETPATH || ret == RPC_S_SERVER_UNAVAILABLE)
ret = NetUserGetGroups (NULL, wuser, 0, (LPBYTE *) &buf,
MAX_PREFERRED_LENGTH, &cnt, &tot);
if (ret) if (ret)
{ {
__seterrno_from_win_error (ret); __seterrno_from_win_error (ret);
@ -293,30 +308,25 @@ get_user_groups (WCHAR *wlogonserver, cygsidlist &grp_list, char *user)
return ret == NERR_UserNotFound; return ret == NERR_UserNotFound;
} }
len = strlen(domain);
strcpy(dgroup, domain);
dgroup[len++] = '\\';
for (DWORD i = 0; i < cnt; ++i) for (DWORD i = 0; i < cnt; ++i)
{ {
cygsid gsid; cygsid gsid;
char group[UNLEN + 1]; DWORD glen = sizeof (gsid);
char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1];
DWORD glen = UNLEN + 1; DWORD dlen = sizeof (domain);
DWORD dlen = INTERNET_MAX_HOST_NAME_LENGTH + 1;
SID_NAME_USE use = SidTypeInvalid; SID_NAME_USE use = SidTypeInvalid;
sys_wcstombs (group, buf[i].grui0_name, UNLEN + 1); sys_wcstombs (dgroup + len, buf[i].grui0_name, GNLEN + 1);
if (!LookupAccountName (NULL, group, gsid, &glen, domain, &dlen, &use)) if (!LookupAccountName (NULL, dgroup, gsid, &glen, domain, &dlen, &use))
debug_printf ("LookupAccountName(%s): %lu\n", group, GetLastError ()); debug_printf ("LookupAccountName(%s): %E", dgroup);
if (!legal_sid_type (use)) else if (legal_sid_type (use))
{ grp_list += gsid;
strcat (strcpy (group, domain), "\\"); else debug_printf("Global group %s invalid. Domain: %s Use: %d",
sys_wcstombs (group + strlen (group), buf[i].grui0_name, dgroup, domain, use);
UNLEN + 1 - strlen (group));
glen = UNLEN + 1;
dlen = INTERNET_MAX_HOST_NAME_LENGTH + 1;
if (!LookupAccountName(NULL, group, gsid, &glen, domain, &dlen, &use))
debug_printf ("LookupAccountName(%s): %lu\n", group,GetLastError());
}
if (legal_sid_type (use))
grp_list += gsid;
} }
NetApiBufferFree (buf); NetApiBufferFree (buf);
@ -324,21 +334,21 @@ get_user_groups (WCHAR *wlogonserver, cygsidlist &grp_list, char *user)
} }
static BOOL static BOOL
is_group_member (WCHAR *wlogonserver, WCHAR *wgroup, is_group_member (WCHAR *wgroup, PSID pusersid, cygsidlist &grp_list)
cygsid &usersid, cygsidlist &grp_list)
{ {
LPLOCALGROUP_MEMBERS_INFO_0 buf; LPLOCALGROUP_MEMBERS_INFO_0 buf;
DWORD cnt, tot; DWORD cnt, tot;
NET_API_STATUS ret; NET_API_STATUS ret;
BOOL retval = FALSE; BOOL retval = FALSE;
/* Members can be users or global groups */
ret = NetLocalGroupGetMembers (NULL, wgroup, 0, (LPBYTE *) &buf, ret = NetLocalGroupGetMembers (NULL, wgroup, 0, (LPBYTE *) &buf,
MAX_PREFERRED_LENGTH, &cnt, &tot, NULL); MAX_PREFERRED_LENGTH, &cnt, &tot, NULL);
if (ret) if (ret)
return FALSE; return FALSE;
for (DWORD bidx = 0; !retval && bidx < cnt; ++bidx) for (DWORD bidx = 0; !retval && bidx < cnt; ++bidx)
if (EqualSid (usersid, buf[bidx].lgrmi0_sid)) if (EqualSid (pusersid, buf[bidx].lgrmi0_sid))
retval = TRUE; retval = TRUE;
else else
for (int glidx = 0; !retval && glidx < grp_list.count; ++glidx) for (int glidx = 0; !retval && glidx < grp_list.count; ++glidx)
@ -350,8 +360,7 @@ is_group_member (WCHAR *wlogonserver, WCHAR *wgroup,
} }
static BOOL static BOOL
get_user_local_groups (WCHAR *wlogonserver, const char *logonserver, get_user_local_groups (cygsidlist &grp_list, PSID pusersid)
cygsidlist &grp_list, cygsid &usersid)
{ {
LPLOCALGROUP_INFO_0 buf; LPLOCALGROUP_INFO_0 buf;
DWORD cnt, tot; DWORD cnt, tot;
@ -365,40 +374,39 @@ get_user_local_groups (WCHAR *wlogonserver, const char *logonserver,
return FALSE; return FALSE;
} }
char bgroup[sizeof ("BUILTIN\\") + GNLEN] = "BUILTIN\\";
char lgroup[INTERNET_MAX_HOST_NAME_LENGTH + GNLEN + 2];
const DWORD blen = sizeof ("BUILTIN\\") - 1;
DWORD llen = INTERNET_MAX_HOST_NAME_LENGTH + 1;
if (!GetComputerNameA(lgroup, & llen))
{
__seterrno();
return FALSE;
}
lgroup[llen++] = '\\';
for (DWORD i = 0; i < cnt; ++i) for (DWORD i = 0; i < cnt; ++i)
if (is_group_member (wlogonserver, buf[i].lgrpi0_name, usersid, grp_list)) if (is_group_member (buf[i].lgrpi0_name, pusersid, grp_list))
{ {
cygsid gsid; cygsid gsid;
char group[UNLEN + 1]; DWORD glen = sizeof (gsid);
char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1];
DWORD glen = UNLEN + 1; DWORD dlen = sizeof (domain);
DWORD dlen = INTERNET_MAX_HOST_NAME_LENGTH + 1;
SID_NAME_USE use = SidTypeInvalid; SID_NAME_USE use = SidTypeInvalid;
sys_wcstombs (group, buf[i].lgrpi0_name, UNLEN + 1); sys_wcstombs (bgroup + blen, buf[i].lgrpi0_name, GNLEN + 1);
if (!LookupAccountName (NULL, group, gsid, &glen, domain, &dlen, &use)) if (!LookupAccountName (NULL, bgroup, gsid, &glen, domain, &dlen, &use))
{ {
glen = UNLEN + 1; if (GetLastError () != ERROR_NONE_MAPPED)
dlen = INTERNET_MAX_HOST_NAME_LENGTH + 1; debug_printf ("LookupAccountName(%s): %E", bgroup);
if (!LookupAccountName (logonserver + 2, group, strcpy(lgroup + llen, bgroup + blen);
gsid, &glen, domain, &dlen, &use)) if (!LookupAccountName (NULL, lgroup, gsid, &glen,
debug_printf ("LookupAccountName(%s): %lu\n", group, domain, &dlen, &use))
GetLastError ()); debug_printf ("LookupAccountName(%s): %E", lgroup);
}
else if (!legal_sid_type (use))
{
strcat (strcpy (group, domain), "\\");
sys_wcstombs (group + strlen (group), buf[i].lgrpi0_name,
UNLEN + 1 - strlen (group));
glen = UNLEN + 1;
dlen = INTERNET_MAX_HOST_NAME_LENGTH + 1;
if (!LookupAccountName (NULL, group, gsid, &glen,
domain, &dlen, &use))
debug_printf ("LookupAccountName(%s): %lu\n", group,
GetLastError ());
} }
if (legal_sid_type (use)) if (legal_sid_type (use))
grp_list += gsid; grp_list += gsid;
else debug_printf("Rejecting local %s. use: %d", bgroup + blen, use);
} }
NetApiBufferFree (buf); NetApiBufferFree (buf);
@ -418,7 +426,7 @@ sid_in_token_groups (PTOKEN_GROUPS grps, cygsid &sid)
static BOOL static BOOL
get_user_primary_group (WCHAR *wlogonserver, const char *user, get_user_primary_group (WCHAR *wlogonserver, const char *user,
cygsid &usersid, cygsid &pgrpsid) PSID pusersid, cygsid &pgrpsid)
{ {
LPUSER_INFO_3 buf; LPUSER_INFO_3 buf;
WCHAR wuser[UNLEN + 1]; WCHAR wuser[UNLEN + 1];
@ -426,7 +434,7 @@ get_user_primary_group (WCHAR *wlogonserver, const char *user,
BOOL retval = FALSE; BOOL retval = FALSE;
UCHAR count = 0; UCHAR count = 0;
if (usersid == well_known_system_sid) if (pusersid == well_known_system_sid)
{ {
pgrpsid = well_known_system_sid; pgrpsid = well_known_system_sid;
return TRUE; return TRUE;
@ -434,15 +442,13 @@ get_user_primary_group (WCHAR *wlogonserver, const char *user,
sys_mbstowcs (wuser, user, UNLEN + 1); sys_mbstowcs (wuser, user, UNLEN + 1);
ret = NetUserGetInfo (wlogonserver, wuser, 3, (LPBYTE *) &buf); ret = NetUserGetInfo (wlogonserver, wuser, 3, (LPBYTE *) &buf);
if (ret == ERROR_BAD_NETPATH || ret == RPC_S_SERVER_UNAVAILABLE)
ret = NetUserGetInfo (NULL, wuser, 3, (LPBYTE *) &buf);
if (ret) if (ret)
{ {
__seterrno_from_win_error (ret); __seterrno_from_win_error (ret);
return FALSE; return FALSE;
} }
pgrpsid = usersid; pgrpsid = pusersid;
if (IsValidSid (pgrpsid) && (count = *GetSidSubAuthorityCount (pgrpsid)) > 1) if (IsValidSid (pgrpsid) && (count = *GetSidSubAuthorityCount (pgrpsid)) > 1)
{ {
*GetSidSubAuthority (pgrpsid, count - 1) = buf->usri3_primary_group_id; *GetSidSubAuthority (pgrpsid, count - 1) = buf->usri3_primary_group_id;
@ -477,27 +483,28 @@ get_supplementary_group_sidlist (const char *username, cygsidlist &grp_list)
} }
static BOOL static BOOL
get_group_sidlist (const char *logonserver, cygsidlist &grp_list, get_group_sidlist (cygsidlist &grp_list,
cygsid &usersid, cygsid &pgrpsid, cygsid &usersid, cygsid &pgrpsid,
PTOKEN_GROUPS my_grps, LUID auth_luid, int &auth_pos, PTOKEN_GROUPS my_grps, LUID auth_luid, int &auth_pos,
BOOL * special_pgrp) BOOL * special_pgrp)
{ {
WCHAR wserver[INTERNET_MAX_HOST_NAME_LENGTH + 1]; char user[UNLEN + 1];
char user[INTERNET_MAX_HOST_NAME_LENGTH + 1];
char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1];
DWORD ulen = INTERNET_MAX_HOST_NAME_LENGTH + 1; WCHAR wserver[INTERNET_MAX_HOST_NAME_LENGTH + 3];
DWORD dlen = INTERNET_MAX_HOST_NAME_LENGTH + 1; char server[INTERNET_MAX_HOST_NAME_LENGTH + 3];
DWORD ulen = sizeof (user);
DWORD dlen = sizeof (domain);
SID_NAME_USE use; SID_NAME_USE use;
cygsidlist sup_list; cygsidlist sup_list;
auth_pos = -1; auth_pos = -1;
sys_mbstowcs (wserver, logonserver, INTERNET_MAX_HOST_NAME_LENGTH + 1);
if (!LookupAccountSid (NULL, usersid, user, &ulen, domain, &dlen, &use)) if (!LookupAccountSid (NULL, usersid, user, &ulen, domain, &dlen, &use))
{ {
debug_printf ("LookupAccountSid () %E"); debug_printf ("LookupAccountSid () %E");
__seterrno (); __seterrno ();
return FALSE; return FALSE;
} }
grp_list += well_known_world_sid; grp_list += well_known_world_sid;
if (usersid == well_known_system_sid) if (usersid == well_known_system_sid)
{ {
@ -506,6 +513,8 @@ get_group_sidlist (const char *logonserver, cygsidlist &grp_list,
} }
else else
{ {
if (!get_logon_server( domain, server, wserver))
return FALSE;
if (my_grps) if (my_grps)
{ {
if (sid_in_token_groups (my_grps, well_known_local_sid)) if (sid_in_token_groups (my_grps, well_known_local_sid))
@ -536,6 +545,9 @@ get_group_sidlist (const char *logonserver, cygsidlist &grp_list,
grp_list += buf; grp_list += buf;
auth_pos = grp_list.count - 1; auth_pos = grp_list.count - 1;
} }
if (!get_user_groups (wserver, grp_list, user, domain) ||
!get_user_local_groups (grp_list, usersid))
return FALSE;
} }
/* special_pgrp true if pgrpsid is not null and not in normal groups */ /* special_pgrp true if pgrpsid is not null and not in normal groups */
if (!pgrpsid) if (!pgrpsid)
@ -544,9 +556,6 @@ get_group_sidlist (const char *logonserver, cygsidlist &grp_list,
get_user_primary_group (wserver, user, usersid, pgrpsid); get_user_primary_group (wserver, user, usersid, pgrpsid);
} }
else * special_pgrp = TRUE; else * special_pgrp = TRUE;
if (!get_user_groups (wserver, grp_list, user) ||
!get_user_local_groups (wserver, logonserver, grp_list, usersid))
return FALSE;
if (get_supplementary_group_sidlist (user, sup_list)) if (get_supplementary_group_sidlist (user, sup_list))
{ {
for (int i = 0; i < sup_list.count; ++i) for (int i = 0; i < sup_list.count; ++i)
@ -729,7 +738,6 @@ create_token (cygsid &usersid, cygsid &pgrpsid)
{ {
NTSTATUS ret; NTSTATUS ret;
LSA_HANDLE lsa = INVALID_HANDLE_VALUE; LSA_HANDLE lsa = INVALID_HANDLE_VALUE;
char logonserver[INTERNET_MAX_HOST_NAME_LENGTH + 1];
int old_priv_state; int old_priv_state;
cygsidlist grpsids; cygsidlist grpsids;
@ -772,10 +780,6 @@ create_token (cygsid &usersid, cygsid &pgrpsid)
if ((lsa = open_local_policy ()) == INVALID_HANDLE_VALUE) if ((lsa = open_local_policy ()) == INVALID_HANDLE_VALUE)
goto out; goto out;
/* Get logon server. */
if (!get_logon_server (lsa, logonserver))
goto out;
/* User, owner, primary group. */ /* User, owner, primary group. */
user.User.Sid = usersid; user.User.Sid = usersid;
user.User.Attributes = 0; user.User.Attributes = 0;
@ -814,7 +818,7 @@ create_token (cygsid &usersid, cygsid &pgrpsid)
/* Create list of groups, the user is member in. */ /* Create list of groups, the user is member in. */
int auth_pos; int auth_pos;
if (!get_group_sidlist (logonserver, grpsids, usersid, pgrpsid, if (!get_group_sidlist (grpsids, usersid, pgrpsid,
my_grps, auth_luid, auth_pos, &special_pgrp)) my_grps, auth_luid, auth_pos, &special_pgrp))
goto out; goto out;

4
winsup/cygwin/security.h
View File

@ -186,8 +186,8 @@ BOOL verify_token (HANDLE token, cygsid &usersid, cygsid &pgrpsid, BOOL * pinter
/* Extract U-domain\user field from passwd entry. */ /* Extract U-domain\user field from passwd entry. */
void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user); void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);
/* Get default logonserver and domain for this box. */ /* Get default logonserver for a domain. */
BOOL get_logon_server_and_user_domain (char *logonserver, char *domain); BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL);
/* sec_helper.cc: Security helper functions. */ /* sec_helper.cc: Security helper functions. */
BOOL __stdcall is_grp_member (__uid32_t uid, __gid32_t gid); BOOL __stdcall is_grp_member (__uid32_t uid, __gid32_t gid);

3
winsup/cygwin/uinfo.cc
View File

@ -71,7 +71,8 @@ internal_getlogin (cygheap_user &user)
user.set_domain (buf); user.set_domain (buf);
NetApiBufferFree (wui); NetApiBufferFree (wui);
} }
if (!user.logsrv () && get_logon_server_and_user_domain (buf, NULL)) if (!user.logsrv () && user.domain() &&
get_logon_server(user.domain(), buf, NULL))
{ {
user.set_logsrv (buf + 2); user.set_logsrv (buf + 2);
setenv ("LOGONSERVER", buf, 1); setenv ("LOGONSERVER", buf, 1);