* security.cc (get_unix_group_sidlist): Create.
(get_supplementary_group_sidlist): Evolve into get_unix_group_sidlist. (get_user_local_groups): Add check for duplicates. (get_user_primary_group): Suppress. (get_group_sidlist): Silently ignore PDC unavailability. Call get_unix_group_sidlist() before get_user_local_groups(). Remove call to get_supplementary_group_sidlist(). Never call get_user_primary_group() as the passwd group is always included. Add well_known_authenticated_users_sid in only one statement.
This commit is contained in:
Corinna Vinschen
parent
86620e8f92
commit
095a1272e8
|
|
@ -1,3 +1,15 @@
|
|||
2002-07-18 Pierre Humblet <pierre.humblet@ieee.org>
|
||||
|
||||
* security.cc (get_unix_group_sidlist): Create.
|
||||
(get_supplementary_group_sidlist): Evolve into get_unix_group_sidlist.
|
||||
(get_user_local_groups): Add check for duplicates.
|
||||
(get_user_primary_group): Suppress.
|
||||
(get_group_sidlist): Silently ignore PDC unavailability.
|
||||
Call get_unix_group_sidlist() before get_user_local_groups().
|
||||
Remove call to get_supplementary_group_sidlist(). Never call
|
||||
get_user_primary_group() as the passwd group is always included.
|
||||
Add well_known_authenticated_users_sid in only one statement.
|
||||
|
||||
2002-07-19 Christopher Faylor <cgf@redhat.com>
|
||||
|
||||
* fhandler_serial.cc (fhandler_serial::tcflush): Fix typo.
|
||||
|
|
|
|||
|
|
@ -388,18 +388,18 @@ get_user_local_groups (cygsidlist &grp_list, PSID pusersid)
|
|||
sys_wcstombs (bgroup + blen, buf[i].lgrpi0_name, GNLEN + 1);
|
||||
if (!LookupAccountName (NULL, bgroup, gsid, &glen, domain, &dlen, &use))
|
||||
{
|
||||
if (GetLastError () != ERROR_NONE_MAPPED)
|
||||
debug_printf ("LookupAccountName(%s): %E", bgroup);
|
||||
strcpy (lgroup + llen, bgroup + blen);
|
||||
if (!LookupAccountName (NULL, lgroup, gsid, &glen,
|
||||
domain, &dlen, &use))
|
||||
debug_printf ("LookupAccountName(%s): %E", lgroup);
|
||||
if (GetLastError () != ERROR_NONE_MAPPED)
|
||||
debug_printf ("LookupAccountName(%s): %E", bgroup);
|
||||
strcpy (lgroup + llen, bgroup + blen);
|
||||
if (!LookupAccountName (NULL, lgroup, gsid, &glen,
|
||||
domain, &dlen, &use))
|
||||
debug_printf ("LookupAccountName(%s): %E", lgroup);
|
||||
}
|
||||
if (legal_sid_type (use))
|
||||
if (!legal_sid_type (use))
|
||||
debug_printf ("Rejecting local %s. use: %d", bgroup + blen, use);
|
||||
else if (!grp_list.contains (gsid))
|
||||
grp_list += gsid;
|
||||
else debug_printf ("Rejecting local %s. use: %d", bgroup + blen, use);
|
||||
}
|
||||
|
||||
NetApiBufferFree (buf);
|
||||
return TRUE;
|
||||
}
|
||||
|
|
@ -415,6 +415,7 @@ sid_in_token_groups (PTOKEN_GROUPS grps, cygsid &sid)
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
#if 0 /* Unused */
|
||||
static BOOL
|
||||
get_user_primary_group (WCHAR *wlogonserver, const char *user,
|
||||
PSID pusersid, cygsid &pgrpsid)
|
||||
|
|
@ -448,34 +449,33 @@ get_user_primary_group (WCHAR *wlogonserver, const char *user,
|
|||
NetApiBufferFree (buf);
|
||||
return retval;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int
|
||||
get_supplementary_group_sidlist (const char *username, cygsidlist &grp_list)
|
||||
static void
|
||||
get_unix_group_sidlist (struct passwd * pw, cygsidlist &grp_list)
|
||||
{
|
||||
struct __group32 *gr;
|
||||
int cnt = 0;
|
||||
cygsid gsid;
|
||||
|
||||
for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx)
|
||||
{
|
||||
if (gr->gr_mem)
|
||||
if (gr->gr_gid == (__gid32_t) pw->pw_gid)
|
||||
goto found;
|
||||
else if (gr->gr_mem)
|
||||
for (int gi = 0; gr->gr_mem[gi]; ++gi)
|
||||
if (strcasematch (username, gr->gr_mem[gi]))
|
||||
{
|
||||
if (gr->gr_passwd && *gr->gr_passwd)
|
||||
{
|
||||
cygsid sid (gr->gr_passwd);
|
||||
if ((PSID)sid && grp_list.add (sid))
|
||||
++cnt;
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (strcasematch (pw->pw_name, gr->gr_mem[gi]))
|
||||
goto found;
|
||||
continue;
|
||||
found:
|
||||
if (gsid.getfromgr (gr) && !grp_list.contains (gsid))
|
||||
grp_list += gsid;
|
||||
|
||||
}
|
||||
return cnt;
|
||||
}
|
||||
|
||||
static BOOL
|
||||
get_group_sidlist (cygsidlist &grp_list,
|
||||
cygsid &usersid, cygsid &pgrpsid, struct passwd * pw,
|
||||
cygsid &usersid, cygsid &pgrpsid, struct passwd * pw,
|
||||
PTOKEN_GROUPS my_grps, LUID auth_luid, int &auth_pos,
|
||||
BOOL * special_pgrp)
|
||||
{
|
||||
|
|
@ -488,16 +488,14 @@ get_group_sidlist (cygsidlist &grp_list,
|
|||
auth_pos = -1;
|
||||
|
||||
grp_list += well_known_world_sid;
|
||||
grp_list += well_known_authenticated_users_sid;
|
||||
if (usersid == well_known_system_sid)
|
||||
{
|
||||
grp_list += well_known_authenticated_users_sid;
|
||||
grp_list += well_known_admins_sid;
|
||||
get_unix_group_sidlist (pw, grp_list);
|
||||
}
|
||||
else
|
||||
{
|
||||
extract_nt_dom_user (pw, domain, user);
|
||||
if (!get_logon_server (domain, server, wserver))
|
||||
return FALSE;
|
||||
if (my_grps)
|
||||
{
|
||||
if (sid_in_token_groups (my_grps, well_known_local_sid))
|
||||
|
|
@ -512,13 +510,11 @@ get_group_sidlist (cygsidlist &grp_list,
|
|||
grp_list += well_known_interactive_sid;
|
||||
if (sid_in_token_groups (my_grps, well_known_service_sid))
|
||||
grp_list += well_known_service_sid;
|
||||
grp_list += well_known_authenticated_users_sid;
|
||||
}
|
||||
else
|
||||
{
|
||||
grp_list += well_known_local_sid;
|
||||
grp_list += well_known_interactive_sid;
|
||||
grp_list += well_known_authenticated_users_sid;
|
||||
}
|
||||
if (auth_luid.QuadPart != 999) /* != SYSTEM_LUID */
|
||||
{
|
||||
|
|
@ -528,28 +524,22 @@ get_group_sidlist (cygsidlist &grp_list,
|
|||
grp_list += buf;
|
||||
auth_pos = grp_list.count - 1;
|
||||
}
|
||||
if (!get_user_groups (wserver, grp_list, user, domain) ||
|
||||
!get_user_local_groups (grp_list, usersid))
|
||||
extract_nt_dom_user (pw, domain, user);
|
||||
/* Fail silently if DC is not reachable */
|
||||
if (get_logon_server (domain, server, wserver) &&
|
||||
!get_user_groups (wserver, grp_list, user, domain))
|
||||
return FALSE;
|
||||
get_unix_group_sidlist (pw, grp_list);
|
||||
if (!get_user_local_groups (grp_list, usersid))
|
||||
return FALSE;
|
||||
}
|
||||
/* special_pgrp true if pgrpsid is not null and not in normal groups */
|
||||
if (!pgrpsid)
|
||||
*special_pgrp = FALSE;
|
||||
if (pgrpsid && !grp_list.contains (pgrpsid))
|
||||
{
|
||||
*special_pgrp = FALSE;
|
||||
get_user_primary_group (wserver, user, usersid, pgrpsid);
|
||||
*special_pgrp = TRUE;
|
||||
grp_list += pgrpsid;
|
||||
}
|
||||
else
|
||||
*special_pgrp = TRUE;
|
||||
if (pw->pw_name && get_supplementary_group_sidlist (pw->pw_name, sup_list))
|
||||
{
|
||||
for (int i = 0; i < sup_list.count; ++i)
|
||||
if (!grp_list.contains (sup_list.sids[i]))
|
||||
grp_list += sup_list.sids[i];
|
||||
}
|
||||
if (!grp_list.contains (pgrpsid))
|
||||
grp_list += pgrpsid;
|
||||
else
|
||||
*special_pgrp = FALSE;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
|
@ -856,7 +846,7 @@ create_token (cygsid &usersid, cygsid &pgrpsid, struct passwd * pw)
|
|||
if (psa->lpSecurityDescriptor &&
|
||||
!SetSecurityDescriptorGroup (
|
||||
(PSECURITY_DESCRIPTOR) psa->lpSecurityDescriptor,
|
||||
special_pgrp?pgrpsid:well_known_null_sid, FALSE))
|
||||
special_pgrp ? pgrpsid : well_known_null_sid, FALSE))
|
||||
debug_printf ("SetSecurityDescriptorGroup %E");
|
||||
/* Convert to primary token. */
|
||||
if (!DuplicateTokenEx (token, MAXIMUM_ALLOWED, psa,
|
||||
|
|
|
|||
Loading…
Reference in New Issue