libs/newlib-cygwin
libs
/
newlib-cygwin
mirror of git://sourceware.org/git/newlib-cygwin.git
4
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cygwin: uinfo: Drop long disabled nss_prefix and nss_separator 

Originally the code was written to allow three ways of prefixing
accounts and to freely define a domain/account separator.  This code
has been disabled even before being officially released, and it was
never re-enabled. Given there has been no complaints for eight years
now, drop this code eventually.  Just add a macro to define the
domain/account separator statically.

Fixes: cc332c9e27 ("(cygheap_pwdgrp::nss_init_line): Disable db_prefix
and db_separator settings.  Add comment")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
Corinna Vinschen 2022-12-02 15:13:24 +01:00
parent 30add3e6b3
commit 3b37a11870
4 changed files with 14 additions and 229 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
winsup/cygwin/external.cc
View File

@ -604,7 +604,7 @@ cygwin_internal (cygwin_getinfo_types t, ...)
break; break;
case CW_GETNSSSEP: case CW_GETNSSSEP:
res = (uintptr_t) cygheap->pg.nss_separator (); res = (uintptr_t) NSS_SEPARATOR_STRING;
break; break;
case CW_GETNSS_PWD_SRC: case CW_GETNSS_PWD_SRC:

14
winsup/cygwin/local_includes/cygheap.h
View File

@ -393,13 +393,11 @@ public:
{ return rfc2307_domain_buf ?: NULL; } { return rfc2307_domain_buf ?: NULL; }
}; };
#define NSS_SEPARATOR_STRING L"+"
#define NSS_SEPARATOR_CHAR (NSS_SEPARATOR_STRING[0])
class cygheap_pwdgrp class cygheap_pwdgrp
{ {
enum nss_pfx_t {
NSS_PFX_AUTO = 0,
NSS_PFX_PRIMARY,
NSS_PFX_ALWAYS
};
public: public:
enum nss_scheme_method { enum nss_scheme_method {
NSS_SCHEME_FALLBACK = 0, NSS_SCHEME_FALLBACK = 0,
@ -418,8 +416,6 @@ private:
bool nss_inited; bool nss_inited;
uint32_t pwd_src; uint32_t pwd_src;
uint32_t grp_src; uint32_t grp_src;
nss_pfx_t prefix;
WCHAR separator[2];
bool caching; bool caching;
#define NSS_SCHEME_MAX 4 #define NSS_SCHEME_MAX 4
@ -458,10 +454,6 @@ public:
inline bool nss_grp_files () const { return !!(grp_src & NSS_SRC_FILES); } inline bool nss_grp_files () const { return !!(grp_src & NSS_SRC_FILES); }
inline bool nss_grp_db () const { return !!(grp_src & NSS_SRC_DB); } inline bool nss_grp_db () const { return !!(grp_src & NSS_SRC_DB); }
inline int nss_grp_src () const { return grp_src; } /* CW_GETNSS_GRP_SRC */ inline int nss_grp_src () const { return grp_src; } /* CW_GETNSS_GRP_SRC */
inline bool nss_prefix_auto () const { return prefix == NSS_PFX_AUTO; }
inline bool nss_prefix_primary () const { return prefix == NSS_PFX_PRIMARY; }
inline bool nss_prefix_always () const { return prefix == NSS_PFX_ALWAYS; }
inline PCWSTR nss_separator () const { return separator; }
inline bool nss_cygserver_caching () const { return caching; } inline bool nss_cygserver_caching () const { return caching; }
inline void nss_disable_cygserver_caching () { caching = false; } inline void nss_disable_cygserver_caching () { caching = false; }

71
winsup/cygwin/uinfo.cc
View File

@ -579,14 +579,10 @@ cygheap_pwdgrp::init ()
passwd: files db passwd: files db
group: files db group: files db
db_prefix: auto DISABLED
db_separator: + DISABLED
db_enum: cache builtin db_enum: cache builtin
*/ */
pwd_src = (NSS_SRC_FILES | NSS_SRC_DB); pwd_src = (NSS_SRC_FILES | NSS_SRC_DB);
grp_src = (NSS_SRC_FILES | NSS_SRC_DB); grp_src = (NSS_SRC_FILES | NSS_SRC_DB);
prefix = NSS_PFX_AUTO;
separator[0] = L'+';
enums = (ENUM_CACHE | ENUM_BUILTIN); enums = (ENUM_CACHE | ENUM_BUILTIN);
enum_tdoms = NULL; enum_tdoms = NULL;
caching = true; /* INTERNAL ONLY */ caching = true; /* INTERNAL ONLY */
@ -650,32 +646,6 @@ cygheap_pwdgrp::nss_init_line (const char *line)
break; break;
} }
c += 3; c += 3;
#if 0 /* Disable setting prefix and separator from nsswitch.conf for now.
Remove if nobody complains too loudly. */
if (NSS_NCMP ("prefix:"))
{
c = strchr (c, ':') + 1;
c += strspn (c, " \t");
if (NSS_CMP ("auto"))
prefix = NSS_AUTO;
else if (NSS_CMP ("primary"))
prefix = NSS_PRIMARY;
else if (NSS_CMP ("always"))
prefix = NSS_ALWAYS;
else
debug_printf ("Invalid nsswitch.conf content: %s", line);
}
else if (NSS_NCMP ("separator:"))
{
c = strchr (c, ':') + 1;
c += strspn (c, " \t");
if ((unsigned char) *c <= 0x7f && *c != ':' && strchr (" \t", c[1]))
separator[0] = (unsigned char) *c;
else
debug_printf ("Invalid nsswitch.conf content: %s", line);
}
else
#endif
if (NSS_NCMP ("enum:")) if (NSS_NCMP ("enum:"))
{ {
tmp_pathbuf tp; tmp_pathbuf tp;
@ -904,7 +874,7 @@ fetch_from_path (cyg_ldap *pldap, PUSER_INFO_3 ui, cygpsid &sid, PCWSTR str,
{ {
w = wcpncpy (w, dom, we - w); w = wcpncpy (w, dom, we - w);
if (w < we) if (w < we)
*w++ = cygheap->pg.nss_separator ()[0]; *w++ = NSS_SEPARATOR_CHAR;
} }
w = wcpncpy (w, name, we - w); w = wcpncpy (w, name, we - w);
break; break;
@ -1939,14 +1909,14 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
sys_mbstowcs (name, UNLEN + 1, arg.name); sys_mbstowcs (name, UNLEN + 1, arg.name);
/* If the incoming name has a backslash or at sign, and neither backslash /* If the incoming name has a backslash or at sign, and neither backslash
nor at are the domain separator chars, the name is invalid. */ nor at are the domain separator chars, the name is invalid. */
if ((p = wcspbrk (name, L"\\@")) && *p != cygheap->pg.nss_separator ()[0]) if ((p = wcspbrk (name, L"\\@")) && *p != NSS_SEPARATOR_CHAR)
{ {
debug_printf ("Invalid account name <%s> (backslash/at)", arg.name); debug_printf ("Invalid account name <%s> (backslash/at)", arg.name);
return NULL; return NULL;
} }
/* Replace domain separator char with backslash and make sure p is NULL /* Replace domain separator char with backslash and make sure p is NULL
or points to the backslash. */ or points to the backslash. */
if ((p = wcschr (name, cygheap->pg.nss_separator ()[0]))) if ((p = wcschr (name, NSS_SEPARATOR_CHAR)))
{ {
fq_name = true; fq_name = true;
*p = L'\\'; *p = L'\\';
@ -1992,13 +1962,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
/* AzureAD user must be prepended by "domain" name. */ /* AzureAD user must be prepended by "domain" name. */
if (sid_id_auth (sid) == 12) if (sid_id_auth (sid) == 12)
return NULL; return NULL;
/* name_only only if db_prefix is auto. */
if (!cygheap->pg.nss_prefix_auto ())
{
debug_printf ("Invalid account name <%s> (name only/"
"db_prefix not auto)", arg.name);
return NULL;
}
/* name_only account is either builtin or primary domain, or /* name_only account is either builtin or primary domain, or
account domain on non-domain machines. */ account domain on non-domain machines. */
if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */ if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
@ -2023,9 +1986,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
} }
else else
{ {
/* All is well if db_prefix is always. */
if (cygheap->pg.nss_prefix_always ())
break;
/* AzureAD accounts should be fully qualifed either. */ /* AzureAD accounts should be fully qualifed either. */
if (sid_id_auth (sid) == 12) if (sid_id_auth (sid) == 12)
break; break;
@ -2042,9 +2002,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
"not NON_UNIQUE or NT_SERVICE)", arg.name); "not NON_UNIQUE or NT_SERVICE)", arg.name);
return NULL; return NULL;
} }
/* All is well if db_prefix is primary. */
if (cygheap->pg.nss_prefix_primary ())
break;
/* Domain member and domain == primary domain? */ /* Domain member and domain == primary domain? */
if (cygheap->dom.member_machine ()) if (cygheap->dom.member_machine ())
{ {
@ -2263,15 +2220,13 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
#else #else
posix_offset = 0; posix_offset = 0;
#endif #endif
fully_qualified_name = cygheap->pg.nss_prefix_always ();
is_domain_account = false; is_domain_account = false;
} }
/* Account domain account? */ /* Account domain account? */
else if (!wcscasecmp (dom, cygheap->dom.account_flat_name ())) else if (!wcscasecmp (dom, cygheap->dom.account_flat_name ()))
{ {
posix_offset = 0x30000; posix_offset = 0x30000;
if (cygheap->dom.member_machine () if (cygheap->dom.member_machine ())
|| !cygheap->pg.nss_prefix_auto ())
fully_qualified_name = true; fully_qualified_name = true;
is_domain_account = false; is_domain_account = false;
} }
@ -2290,8 +2245,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
set domain here to non-NULL, unless you're sure you have set domain here to non-NULL, unless you're sure you have
also changed subsequent assumptions that domain is NULL also changed subsequent assumptions that domain is NULL
if it's a primary domain account. */ if it's a primary domain account. */
if (!cygheap->pg.nss_prefix_auto ())
fully_qualified_name = true;
} }
else else
{ {
@ -2486,18 +2439,16 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
if (pgrp) if (pgrp)
{ {
/* Set primary group from the "Description" field. Prepend /* Set primary group from the "Description" field. Prepend
account domain if this is a domain member machine or the account domain if this is a domain member machine. */
db_prefix setting requires it. */
char gname[2 * DNLEN + strlen (pgrp) + 1], *gp = gname; char gname[2 * DNLEN + strlen (pgrp) + 1], *gp = gname;
struct group *gr; struct group *gr;
if (cygheap->dom.member_machine () if (cygheap->dom.member_machine ())
|| !cygheap->pg.nss_prefix_auto ())
{ {
gp = gname gp = gname
+ sys_wcstombs (gname, sizeof gname, + sys_wcstombs (gname, sizeof gname,
cygheap->dom.account_flat_name ()); cygheap->dom.account_flat_name ());
*gp++ = cygheap->pg.nss_separator ()[0]; *gp++ = NSS_SEPARATOR_CHAR;
} }
stpcpy (gp, pgrp); stpcpy (gp, pgrp);
if ((gr = internal_getgrnam (gname, cldap))) if ((gr = internal_getgrnam (gname, cldap)))
@ -2521,9 +2472,9 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
} }
break; break;
case SidTypeWellKnownGroup: case SidTypeWellKnownGroup:
fully_qualified_name = (cygheap->pg.nss_prefix_always () fully_qualified_name = (
/* NT SERVICE Account */ /* NT SERVICE Account */
|| (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */ (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
&& sid_sub_auth (sid, 0) == SECURITY_SERVICE_ID_BASE_RID) && sid_sub_auth (sid, 0) == SECURITY_SERVICE_ID_BASE_RID)
/* Microsoft Account */ /* Microsoft Account */
|| sid_id_auth (sid) == 11); || sid_id_auth (sid) == 11);
@ -2582,7 +2533,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
break; break;
case SidTypeLabel: case SidTypeLabel:
uid = 0x60000 + sid_sub_auth_rid (sid); uid = 0x60000 + sid_sub_auth_rid (sid);
fully_qualified_name = cygheap->pg.nss_prefix_always ();
break; break;
default: default:
return NULL; return NULL;
@ -2641,7 +2591,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
wcpcpy (name = namebuf, sid_sub_auth_rid (sid) == 1 wcpcpy (name = namebuf, sid_sub_auth_rid (sid) == 1
? (PWCHAR) L"Authentication authority asserted identity" ? (PWCHAR) L"Authentication authority asserted identity"
: (PWCHAR) L"Service asserted identity"); : (PWCHAR) L"Service asserted identity");
fully_qualified_name = false;
acc_type = SidTypeUnknown; acc_type = SidTypeUnknown;
} }
else if (sid_id_auth (sid) == 22) else if (sid_id_auth (sid) == 22)
@ -2711,7 +2660,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
if (gid == ILLEGAL_GID) if (gid == ILLEGAL_GID)
gid = uid; gid = uid;
if (fully_qualified_name) if (fully_qualified_name)
p = wcpcpy (wcpcpy (p, dom), cygheap->pg.nss_separator ()); p = wcpcpy (wcpcpy (p, dom), NSS_SEPARATOR_STRING);
wcpcpy (p, name); wcpcpy (p, name);
if (is_group ()) if (is_group ())

156
winsup/doc/ntsec.xml
View File

@ -870,9 +870,6 @@ set up to all default values:
# /etc/nsswitch.conf # /etc/nsswitch.conf
passwd: files db passwd: files db
group: files db group: files db
<!--
db_prefix: auto
db_separator: + -->
db_enum: cache builtin db_enum: cache builtin
db_home: /home/%U db_home: /home/%U
db_shell: /bin/bash db_shell: /bin/bash
@ -991,159 +988,6 @@ and <literal>group</literal> information from the database.
</sect4> </sect4>
<!--
DESCRIPTION OF db_prefix AND db_separator
Keep in for reference
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>db_prefix:</literal> determines how the Cygwin user or group name
is created. The recognized values are:
</para>
<variablelist>
<varlistentry>
<term><literal>auto</literal></term>
<listitem>
<para>
This is the default. If your account is from the primary domain of your
machine, or if your machine is a standalone machine (not a domain member),
your Cygwin account name is just the Windows account name.
</para>
<para>
If your account is from another domain, or if you're logged in as
local user on a domain machine, the Cygwin username will be the
combination of Windows domainname and username, with the separator
char in between:
</para>
<segmentedlist><?dbhtml list-presentation="table"?>
<seglistitem>
<seg><literal>MY_DOM+username</literal></seg>
<seg>(foreign domain)</seg>
</seglistitem>
<seglistitem>
<seg><literal>MACHINE+username</literal></seg>
<seg>(local account)</seg>
</seglistitem>
</segmentedlist>
<para>
Builtin accounts are simply used as is:
</para>
<segmentedlist><?dbhtml list-presentation="table"?>
<seglistitem>
<seg><literal>LOCAL</literal></seg>
</seglistitem>
<seglistitem>
<seg><literal>Users</literal></seg>
</seglistitem>
</segmentedlist>
<para>
Unknown accounts on NFS or Samba shares (that is, accounts which cannot be
mapped to Windows user accounts via
<ulink url="https://tools.ietf.org/html/rfc2307">RFC 2307</ulink>) get a
Cygwin account name consisting of the artificial domains
<literal>Unix_User</literal> or <literal>Unix_Group</literal> and the
uid/gid value, for instance:
</para>
<segmentedlist><?dbhtml list-presentation="table"?>
<seglistitem>
<seg><literal>Unix_User+0</literal></seg>
<seg>(root)</seg>
</seglistitem>
<seglistitem>
<seg><literal>Unix_Group+10</literal></seg>
<seg>(wheel)</seg>
</seglistitem>
</segmentedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>primary</literal></term>
<listitem>
<para>
Like <literal>auto</literal>, but primary domain accounts will be
prepended by the domainname as well.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>always</literal></term>
<listitem>
<para>
All accounts, even the builtin accounts, will have the domain name
prepended:
</para>
<segmentedlist><?dbhtml list-presentation="table"?>
<seglistitem>
<seg><literal>BUILTIN+Users</literal></seg>
</seglistitem>
</segmentedlist>
<para>
A special case are builtin accounts which have an emtpy domain name.
These will be prependend by just the separator character in
<literal>always</literal> mode:
</para>
<segmentedlist><?dbhtml list-presentation="table"?>
<seglistitem>
<seg><literal>+LOCAL</literal></seg>
</seglistitem>
</segmentedlist>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para>
<literal>db_separator:</literal> defines the spearator char used to prepend the
domain name to the user or group name. The default is the plus character
<literal>+</literal>.
</para>
<screen>
MY_DOM+username
</screen>
<para>
With <literal>db_separator:</literal>, you can define any ASCII char except
space, tab, carriage return, line feed, and the colon, as separator char.
Example:
</para>
<screen>
db_separator: \
</screen>
<para>
This results in usernames with the backslash as separator:
</para>
<screen>
MY_DOM\username
</screen>
</listitem>
</itemizedlist>
-->
<sect4 id="ntsec-mapping-nsswitch-enum"><title id="ntsec-mapping-nsswitch-enum.title">The <literal>db_enum:</literal> setting</title> <sect4 id="ntsec-mapping-nsswitch-enum"><title id="ntsec-mapping-nsswitch-enum.title">The <literal>db_enum:</literal> setting</title>
<para> <para>