Cygwin: uinfo: don't special case current user
fetch_account_from_windows shortcuts the current user in that
it takes the user's domain SID and just adds the matching RID
from the token's primary group to create a group SID.
How wrong this is can be very simply reproduced:
Assuming you run a native process, like cmd, with primary group
set to the Administrators builtin group. Run Cygwin's id(1) as
child process. id(1) will print a non-existent group as primary
group and also add it to the group list.
This can only be avoided by not special casing the current user
and thus not creating a group SID from partial information.
Fixes: 6cc7c925ce
("(pwdgrp::fetch_account_from_windows): Default primary group for the
current user to primary group from user token.")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
parent
dc7b67316d
commit
a5bcfe616c
|
@ -1855,7 +1855,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
||||||
gid_t gid = ILLEGAL_GID;
|
gid_t gid = ILLEGAL_GID;
|
||||||
bool is_domain_account = true;
|
bool is_domain_account = true;
|
||||||
PCWSTR domain = NULL;
|
PCWSTR domain = NULL;
|
||||||
bool is_current_user = false;
|
|
||||||
char *shell = NULL;
|
char *shell = NULL;
|
||||||
char *home = NULL;
|
char *home = NULL;
|
||||||
char *gecos = NULL;
|
char *gecos = NULL;
|
||||||
|
@ -2314,18 +2313,9 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
||||||
uid = posix_offset + sid_sub_auth_rid (sid);
|
uid = posix_offset + sid_sub_auth_rid (sid);
|
||||||
if (!is_group () && acc_type == SidTypeUser)
|
if (!is_group () && acc_type == SidTypeUser)
|
||||||
{
|
{
|
||||||
/* Default primary group. If the sid is the current user, fetch
|
/* Default primary group. Make the educated guess that the user
|
||||||
the default group from the current user token, otherwise make
|
is in group "Domain Users" or "None". */
|
||||||
the educated guess that the user is in group "Domain Users"
|
gid = posix_offset + DOMAIN_GROUP_RID_USERS;
|
||||||
or "None". */
|
|
||||||
if (sid == cygheap->user.sid ())
|
|
||||||
{
|
|
||||||
is_current_user = true;
|
|
||||||
gid = posix_offset
|
|
||||||
+ sid_sub_auth_rid (cygheap->user.groups.pgsid);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
gid = posix_offset + DOMAIN_GROUP_RID_USERS;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (is_domain_account)
|
if (is_domain_account)
|
||||||
|
@ -2336,11 +2326,9 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
||||||
/* On AD machines, use LDAP to fetch domain account infos. */
|
/* On AD machines, use LDAP to fetch domain account infos. */
|
||||||
if (cygheap->dom.primary_dns_name ())
|
if (cygheap->dom.primary_dns_name ())
|
||||||
{
|
{
|
||||||
/* For the current user we got correctly cased username and
|
/* Fetch primary group from AD and overwrite the one we
|
||||||
the primary group via process token. For any other user
|
just guessed above. */
|
||||||
we fetch it from AD and overwrite it. */
|
if (cldap->fetch_ad_account (sid, false, domain))
|
||||||
if (!is_current_user
|
|
||||||
&& cldap->fetch_ad_account (sid, false, domain))
|
|
||||||
{
|
{
|
||||||
if ((val = cldap->get_account_name ()))
|
if ((val = cldap->get_account_name ()))
|
||||||
wcscpy (name, val);
|
wcscpy (name, val);
|
||||||
|
|
Loading…
Reference in New Issue