* security.h (cygsidlist::addfromgr): Allow duplicate entries.

(get_server_groups): Declare new function.
	* security.cc (is_group_member): Simplify.
	(get_server_groups): New function.
	(get_initgroups_sidlist): Call get_server_groups.
	(verify_token): Allow token when supplementary sids are not in
	/etc/group but are in the token.
	Streamline the code.
	* grp.cc (initgroups32): New implementation.
	(getgroups32): Handle case where the supplementary groups are set.
This commit is contained in:
Corinna Vinschen 2005-04-16 15:21:47 +00:00
parent 00c05edcf1
commit 68a3f0d34a
4 changed files with 131 additions and 66 deletions

View File

@ -1,3 +1,17 @@
2005-04-16 Corinna Vinschen <corinna@vinschen.de>
Pierre Humblet <pierre.humblet@ieee.org>
* security.h (cygsidlist::addfromgr): Allow duplicate entries.
(get_server_groups): Declare new function.
* security.cc (is_group_member): Simplify.
(get_server_groups): New function.
(get_initgroups_sidlist): Call get_server_groups.
(verify_token): Allow token when supplementary sids are not in
/etc/group but are in the token.
Streamline the code.
* grp.cc (initgroups32): New implementation.
(getgroups32): Handle case where the supplementary groups are set.
2005-04-16 Corinna Vinschen <corinna@vinschen.de>
* environ.cc (environ_init): Don't set traverse checking as default.

View File

@ -344,14 +344,32 @@ internal_getgroups (int gidsetsize, __gid32_t *grouplist, cygpsid * srchsid)
__gid32_t gid;
const char *username;
if (allow_ntsec)
if (!srchsid && cygheap->user.groups.issetgroups ())
{
cygsid sid;
for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx)
if (sid.getfromgr (gr))
for (int pg = 0; pg < cygheap->user.groups.sgsids.count; ++pg)
if (sid == cygheap->user.groups.sgsids.sids[pg] &&
sid != well_known_world_sid)
{
if (cnt < gidsetsize)
grouplist[cnt] = gr->gr_gid;
++cnt;
if (gidsetsize && cnt > gidsetsize)
goto error;
break;
}
return cnt;
}
/* If impersonated, use impersonation token. */
if (cygheap->user.issetuid ())
hToken = cygheap->user.token ();
else
hToken = hProcImpToken;
}
if (hToken)
{
if (GetTokenInformation (hToken, TokenGroups, NULL, 0, &size)
@ -450,9 +468,32 @@ getgroups (int gidsetsize, __gid16_t *grouplist)
extern "C" int
initgroups32 (const char *name, __gid32_t gid)
{
int ret;
if (wincap.has_security ())
cygheap->user.groups.clear_supp ();
syscall_printf ( "0 = initgroups (%s, %u)", name, gid);
{
ret = -1;
struct passwd *pw = internal_getpwnam (name);
struct __group32 *gr = internal_getgrgid (gid);
cygsid usersid, grpsid;
if (!usersid.getfrompw (pw) || !grpsid.getfromgr (gr))
{
set_errno (EINVAL);
goto out;
}
cygsidlist tmp_gsids (cygsidlist_auto, 12);
if (!get_server_groups (tmp_gsids, usersid, pw))
goto out;
tmp_gsids += grpsid;
cygsidlist new_gsids (cygsidlist_alloc, tmp_gsids.count);
for (int i = 0; i < tmp_gsids.count; i++)
new_gsids.sids[i] = tmp_gsids.sids[i];
new_gsids.count = tmp_gsids.count;
cygheap->user.groups.update_supp (new_gsids);
}
ret = 0;
out:
syscall_printf ( "%d = initgroups (%s, %u)", ret, name, gid);
return 0;
}

View File

@ -42,8 +42,7 @@ details. */
bool allow_ntsec;
/* allow_smbntsec is handled exclusively in path.cc (path_conv::check).
It's defined here because of it's strong relationship to allow_ntsec.
The default is TRUE to reflect the old behaviour. */
It's defined here because of it's strong relationship to allow_ntsec. */
bool allow_smbntsec;
bool allow_traverse;
@ -363,7 +362,6 @@ is_group_member (WCHAR *wgroup, PSID pusersid, cygsidlist &grp_list)
LPLOCALGROUP_MEMBERS_INFO_0 buf;
DWORD cnt, tot;
NET_API_STATUS ret;
bool retval = false;
/* Members can be users or global groups */
ret = NetLocalGroupGetMembers (NULL, wgroup, 0, (LPBYTE *) &buf,
@ -371,14 +369,17 @@ is_group_member (WCHAR *wgroup, PSID pusersid, cygsidlist &grp_list)
if (ret)
return false;
for (DWORD bidx = 0; !retval && bidx < cnt; ++bidx)
bool retval = true;
for (DWORD bidx = 0; bidx < cnt; ++bidx)
if (EqualSid (pusersid, buf[bidx].lgrmi0_sid))
retval = true;
goto done;
else
for (int glidx = 0; !retval && glidx < grp_list.count; ++glidx)
for (int glidx = 0; glidx < grp_list.count; ++glidx)
if (EqualSid (grp_list.sids[glidx], buf[bidx].lgrmi0_sid))
retval = true;
goto done;
retval = false;
done:
NetApiBufferFree (buf);
return retval;
}
@ -545,6 +546,30 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
}
}
bool
get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw)
{
char user[UNLEN + 1];
char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1];
WCHAR wserver[INTERNET_MAX_HOST_NAME_LENGTH + 3];
char server[INTERNET_MAX_HOST_NAME_LENGTH + 3];
if (well_known_system_sid == usersid)
{
grp_list += well_known_admins_sid;
get_unix_group_sidlist (pw, grp_list);
return true;
}
grp_list += well_known_world_sid;
grp_list += well_known_authenticated_users_sid;
extract_nt_dom_user (pw, domain, user);
if (get_logon_server (domain, server, wserver))
get_user_groups (wserver, grp_list, user, domain);
get_unix_group_sidlist (pw, grp_list);
return get_user_local_groups (grp_list, usersid);
}
static bool
get_initgroups_sidlist (cygsidlist &grp_list,
PSID usersid, PSID pgrpsid, struct passwd *pw,
@ -554,26 +579,12 @@ get_initgroups_sidlist (cygsidlist &grp_list,
grp_list += well_known_world_sid;
grp_list += well_known_authenticated_users_sid;
if (well_known_system_sid == usersid)
{
auth_pos = -1;
grp_list += well_known_admins_sid;
get_unix_group_sidlist (pw, grp_list);
}
else
{
char user[UNLEN + 1];
char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1];
WCHAR wserver[INTERNET_MAX_HOST_NAME_LENGTH + 3];
char server[INTERNET_MAX_HOST_NAME_LENGTH + 3];
get_token_group_sidlist (grp_list, my_grps, auth_luid, auth_pos);
extract_nt_dom_user (pw, domain, user);
if (get_logon_server (domain, server, wserver))
get_user_groups (wserver, grp_list, user, domain);
get_unix_group_sidlist (pw, grp_list);
if (!get_user_local_groups (grp_list, usersid))
if (!get_server_groups (grp_list, usersid, pw))
return false;
}
/* special_pgrp true if pgrpsid is not in normal groups */
if ((special_pgrp = !grp_list.contains (pgrpsid)))
grp_list += pgrpsid;
@ -775,8 +786,7 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
}
PTOKEN_GROUPS my_grps;
bool saw_buf[NGROUPS_MAX] = {};
bool *saw = saw_buf, sawpg = false, ret = false;
bool sawpg = false, ret = false;
if (!GetTokenInformation (token, TokenGroups, NULL, 0, &size) &&
GetLastError () != ERROR_INSUFFICIENT_BUFFER)
@ -785,16 +795,14 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
debug_printf ("alloca (my_grps) failed.");
else if (!GetTokenInformation (token, TokenGroups, my_grps, size, &size))
debug_printf ("GetTokenInformation(my_token, TokenGroups), %E");
else if (!groups.issetgroups ()) /* setgroups was never called */
ret = sid_in_token_groups (my_grps, groups.pgsid)
|| groups.pgsid == usersid;
else /* setgroups was called */
else
{
if (groups.issetgroups ()) /* setgroups was called */
{
struct __group32 *gr;
cygsid gsid;
if (groups.sgsids.count > (int) (sizeof (saw_buf) / sizeof (*saw_buf))
&& !(saw = (bool *) calloc (groups.sgsids.count, sizeof (bool))))
goto done;
struct __group32 *gr;
bool saw[groups.sgsids.count];
memset (saw, 0, sizeof(saw));
/* token groups found in /etc/group match the user.gsids ? */
for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx)
@ -809,16 +817,17 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
&& gsid != usersid)
goto done;
}
/* user.sgsids groups must be in the token */
for (int gidx = 0; gidx < groups.sgsids.count; gidx++)
if (!saw[gidx])
if (!saw[gidx] && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
goto done;
}
/* The primary group must be in the token */
ret = sawpg
|| groups.sgsids.contains (groups.pgsid)
|| sid_in_token_groups (my_grps, groups.pgsid)
|| groups.pgsid == usersid;
}
done:
if (saw != saw_buf)
free (saw);
return ret;
}

View File

@ -148,8 +148,7 @@ public:
BOOL add (const char *sidstr)
{ cygsid nsi (sidstr); return add (nsi); }
BOOL addfromgr (struct __group32 *gr) /* Only with alloc */
{ return sids[count].getfromgr (gr)
&& (contains (sids[count]) || ++count); }
{ return sids[count].getfromgr (gr) && ++count; }
BOOL operator+= (cygsid &si) { return add (si); }
BOOL operator+= (const char *sidstr) { return add (sidstr); }
@ -326,6 +325,8 @@ HANDLE subauth (struct passwd *pw);
HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw);
/* Verify an existing token */
bool verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern = NULL);
/* Get groups of a user */
bool get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw);
/* Extract U-domain\user field from passwd entry. */
void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);