* security.cc (get_unix_group_sidlist): Create.
(get_supplementary_group_sidlist): Evolve into get_unix_group_sidlist. (get_user_local_groups): Add check for duplicates. (get_user_primary_group): Suppress. (get_group_sidlist): Silently ignore PDC unavailability. Call get_unix_group_sidlist() before get_user_local_groups(). Remove call to get_supplementary_group_sidlist(). Never call get_user_primary_group() as the passwd group is always included. Add well_known_authenticated_users_sid in only one statement.
This commit is contained in:
Corinna Vinschen
parent
86620e8f92
commit
095a1272e8
|
|
@ -1,3 +1,15 @@
|
|||
2002-07-18 Pierre Humblet <pierre.humblet@ieee.org>
|
||||
|
||||
* security.cc (get_unix_group_sidlist): Create.
|
||||
(get_supplementary_group_sidlist): Evolve into get_unix_group_sidlist.
|
||||
(get_user_local_groups): Add check for duplicates.
|
||||
(get_user_primary_group): Suppress.
|
||||
(get_group_sidlist): Silently ignore PDC unavailability.
|
||||
Call get_unix_group_sidlist() before get_user_local_groups().
|
||||
Remove call to get_supplementary_group_sidlist(). Never call
|
||||
get_user_primary_group() as the passwd group is always included.
|
||||
Add well_known_authenticated_users_sid in only one statement.
|
||||
|
||||
2002-07-19 Christopher Faylor <cgf@redhat.com>
|
||||
|
||||
* fhandler_serial.cc (fhandler_serial::tcflush): Fix typo.
|
||||
|
|
|
|||
|
|
@ -395,11 +395,11 @@ get_user_local_groups (cygsidlist &grp_list, PSID pusersid)
|
|||
domain, &dlen, &use))
|
||||
debug_printf ("LookupAccountName(%s): %E", lgroup);
|
||||
}
|
||||
if (legal_sid_type (use))
|
||||
if (!legal_sid_type (use))
|
||||
debug_printf ("Rejecting local %s. use: %d", bgroup + blen, use);
|
||||
else if (!grp_list.contains (gsid))
|
||||
grp_list += gsid;
|
||||
else debug_printf ("Rejecting local %s. use: %d", bgroup + blen, use);
|
||||
}
|
||||
|
||||
NetApiBufferFree (buf);
|
||||
return TRUE;
|
||||
}
|
||||
|
|
@ -415,6 +415,7 @@ sid_in_token_groups (PTOKEN_GROUPS grps, cygsid &sid)
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
#if 0 /* Unused */
|
||||
static BOOL
|
||||
get_user_primary_group (WCHAR *wlogonserver, const char *user,
|
||||
PSID pusersid, cygsid &pgrpsid)
|
||||
|
|
@ -448,29 +449,28 @@ get_user_primary_group (WCHAR *wlogonserver, const char *user,
|
|||
NetApiBufferFree (buf);
|
||||
return retval;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int
|
||||
get_supplementary_group_sidlist (const char *username, cygsidlist &grp_list)
|
||||
static void
|
||||
get_unix_group_sidlist (struct passwd * pw, cygsidlist &grp_list)
|
||||
{
|
||||
struct __group32 *gr;
|
||||
int cnt = 0;
|
||||
cygsid gsid;
|
||||
|
||||
for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx)
|
||||
{
|
||||
if (gr->gr_mem)
|
||||
if (gr->gr_gid == (__gid32_t) pw->pw_gid)
|
||||
goto found;
|
||||
else if (gr->gr_mem)
|
||||
for (int gi = 0; gr->gr_mem[gi]; ++gi)
|
||||
if (strcasematch (username, gr->gr_mem[gi]))
|
||||
{
|
||||
if (gr->gr_passwd && *gr->gr_passwd)
|
||||
{
|
||||
cygsid sid (gr->gr_passwd);
|
||||
if ((PSID)sid && grp_list.add (sid))
|
||||
++cnt;
|
||||
if (strcasematch (pw->pw_name, gr->gr_mem[gi]))
|
||||
goto found;
|
||||
continue;
|
||||
found:
|
||||
if (gsid.getfromgr (gr) && !grp_list.contains (gsid))
|
||||
grp_list += gsid;
|
||||
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
return cnt;
|
||||
}
|
||||
|
||||
static BOOL
|
||||
|
|
@ -488,16 +488,14 @@ get_group_sidlist (cygsidlist &grp_list,
|
|||
auth_pos = -1;
|
||||
|
||||
grp_list += well_known_world_sid;
|
||||
grp_list += well_known_authenticated_users_sid;
|
||||
if (usersid == well_known_system_sid)
|
||||
{
|
||||
grp_list += well_known_authenticated_users_sid;
|
||||
grp_list += well_known_admins_sid;
|
||||
get_unix_group_sidlist (pw, grp_list);
|
||||
}
|
||||
else
|
||||
{
|
||||
extract_nt_dom_user (pw, domain, user);
|
||||
if (!get_logon_server (domain, server, wserver))
|
||||
return FALSE;
|
||||
if (my_grps)
|
||||
{
|
||||
if (sid_in_token_groups (my_grps, well_known_local_sid))
|
||||
|
|
@ -512,13 +510,11 @@ get_group_sidlist (cygsidlist &grp_list,
|
|||
grp_list += well_known_interactive_sid;
|
||||
if (sid_in_token_groups (my_grps, well_known_service_sid))
|
||||
grp_list += well_known_service_sid;
|
||||
grp_list += well_known_authenticated_users_sid;
|
||||
}
|
||||
else
|
||||
{
|
||||
grp_list += well_known_local_sid;
|
||||
grp_list += well_known_interactive_sid;
|
||||
grp_list += well_known_authenticated_users_sid;
|
||||
}
|
||||
if (auth_luid.QuadPart != 999) /* != SYSTEM_LUID */
|
||||
{
|
||||
|
|
@ -528,28 +524,22 @@ get_group_sidlist (cygsidlist &grp_list,
|
|||
grp_list += buf;
|
||||
auth_pos = grp_list.count - 1;
|
||||
}
|
||||
if (!get_user_groups (wserver, grp_list, user, domain) ||
|
||||
!get_user_local_groups (grp_list, usersid))
|
||||
extract_nt_dom_user (pw, domain, user);
|
||||
/* Fail silently if DC is not reachable */
|
||||
if (get_logon_server (domain, server, wserver) &&
|
||||
!get_user_groups (wserver, grp_list, user, domain))
|
||||
return FALSE;
|
||||
get_unix_group_sidlist (pw, grp_list);
|
||||
if (!get_user_local_groups (grp_list, usersid))
|
||||
return FALSE;
|
||||
}
|
||||
/* special_pgrp true if pgrpsid is not null and not in normal groups */
|
||||
if (!pgrpsid)
|
||||
{
|
||||
*special_pgrp = FALSE;
|
||||
get_user_primary_group (wserver, user, usersid, pgrpsid);
|
||||
}
|
||||
else
|
||||
if (pgrpsid && !grp_list.contains (pgrpsid))
|
||||
{
|
||||
*special_pgrp = TRUE;
|
||||
if (pw->pw_name && get_supplementary_group_sidlist (pw->pw_name, sup_list))
|
||||
{
|
||||
for (int i = 0; i < sup_list.count; ++i)
|
||||
if (!grp_list.contains (sup_list.sids[i]))
|
||||
grp_list += sup_list.sids[i];
|
||||
}
|
||||
if (!grp_list.contains (pgrpsid))
|
||||
grp_list += pgrpsid;
|
||||
else
|
||||
*special_pgrp = FALSE;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue