libs/newlib-cygwin
libs
/
newlib-cygwin
mirror of git://sourceware.org/git/newlib-cygwin.git
4
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cygwin: passwd/group: drop Capability SIDs 

Capability SIDs (S-1-15-3-...) have been introduced with
Windows 10 1909.  They don't resolve with LookupAccountSid.
We don't need them and they don't map gracefully into out
POSIX account namespace.  Also, add code to make sure to
filter them out *iff* they become resolvable at one point.

While at it, slightly reorder code for non-resolving SIDs
by authority values.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
Corinna Vinschen 2024-02-20 17:25:23 +01:00
parent 70653fd8f1
commit 5cc6996987
1 changed files with 29 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
winsup/cygwin/uinfo.cc
View File

@ -2624,9 +2624,15 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
+ (sid_sub_auth_rid (sid) & 0xff);
#else
if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */)
uid = 0x10000 + 0x100 * sid_id_auth (sid)
+ 0x10 * sid_sub_auth (sid, 0)
+ (sid_sub_auth_rid (sid) & 0xf);
{
/* Filter out all SIDs not referring to an App Package, for
instance, Capability SIDs (S-1-15-3-...) */
if (sid_sub_auth (sid, 0) != SECURITY_APP_PACKAGE_BASE_RID)
return NULL;
uid = 0x10000 + 0x100 * sid_id_auth (sid)
+ 0x10 * SECURITY_APP_PACKAGE_BASE_RID
+ (sid_sub_auth_rid (sid) & 0xf);
}
else if (sid_id_auth (sid) != 5 /* SECURITY_NT_AUTHORITY */)
uid = 0x10000 + 0x100 * sid_id_auth (sid)
+ (sid_sub_auth_rid (sid) & 0xff);
@ -2682,21 +2688,8 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
fully_qualified_name = true;
acc_type = SidTypeUnknown;
}
else if (sid_id_auth (sid) == 12 && sid_sub_auth (sid, 0) == 1)
{
/* Special AzureAD group SID which can't be resolved by
LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed
as group entry, not as passwd entry. */
if (is_passwd ())
return NULL;
uid = gid = 0x1001;
wcpcpy (dom, L"AzureAD");
wcpcpy (name = namebuf, L"Group");
fully_qualified_name = true;
acc_type = SidTypeUnknown;
}
else if (sid_id_auth (sid) == 5 &&
sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID)
else if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
&& sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID)
{
/* Special IIS APPPOOL group SID which can't be resolved by
LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed
@ -2728,6 +2721,24 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
}
acc_type = SidTypeUnknown;
}
else if (sid_id_auth (sid) == 12 /* AzureAD ID */
&& sid_sub_auth (sid, 0) == 1 /* Azure ID base RID */)
{
/* Special AzureAD group SID which can't be resolved by
LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed
as group entry, not as passwd entry. */
if (is_passwd ())
return NULL;
uid = gid = 0x1001;
wcpcpy (dom, L"AzureAD");
wcpcpy (name = namebuf, L"Group");
fully_qualified_name = true;
acc_type = SidTypeUnknown;
}
else if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */
&& sid_sub_auth (sid, 0) == SECURITY_CAPABILITY_BASE_RID)
/* Filter out Capability SIDs */
return NULL;
else if (sid_id_auth (sid) == 22)
{
/* Samba UNIX Users/Groups