VirtualQueryEx, called by fixup_mmaps_after_fork, requires
PROCESS_QUERY_INFORMATION permissions per MSDN. However, testing
shows that PROCESS_QUERY_LIMITED_INFORMATION is sufficient when
running the same code on Windows 8.1 or Windows 10. Fix the code
to give the forked child always PROCESS_QUERY_INFORMATION perms
on Windows Vista/7 and respective server releases.
Revert now unneeded patch to check_token_membership as well.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
- Exec'ed/spawned processes don't need PROCESS_DUP_HANDLE. Remove that
permission from the parent handle.
- PROCESS_QUERY_LIMITED_INFORMATION doesn't work for Windows 7 if the
process is started as a service. Add PROCESS_QUERY_INFORMATION for
pre-Windows 8 in that case.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Starting with Windows 10, LookupAccountSid/Name return valid
info for the login session with new SID_NAME_USE value
SidTypeLogonSession. To return the same info as on pre-Windows 10,
we have to handle this type.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
First cut, still incomplete
* fhandler_socket is now base class for other socket classes
* fhandler_socket_inet handles AF_INET and AF_INET6 sockets
* fhandler_socket_local handles AF_LOCAL/AF_UNIX sockets
* finally get rid of fdsock by using set_socket_handle in accept4
* align file-related calls (fstat, fstatvfs, fchown, fchmod, facl)
to Linux.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
No real domain, no DC, no infos via NetUserGetInfo... nothing. Just nothing.
Use fixed uid 0x1000 (4096) for AzureAD user and gid 0x1001 (4097) for
AzureAD group. Note that this group is part of the user token, but it's
not the primary group. The primary group SID is, unfortunately, the
user's SID.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Bump GPLv2+ to GPLv3+ for some files, clarify BSD 2-clause.
Everything else stays under GPLv3+.
New Linking Exception exempts resulting executables from LGPLv3 section 4.
Add CONTRIBUTORS file to keep track of licensing.
Remove 'Copyright Red Hat Inc' comments.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
So far any group in the user's token could be used as primary group.
Windows doesn't check if the primary group is enabled or not, it just
has no meaning. From a POSIXy point of view it can lead to weird
results though.
* uinfo.cc (check_token_membership): New static function.
(internal_getlogin): Only allow enabled groups as primary group.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
A user token can be up to 64K in size. Using 32K buffers for TOKEN_GROUPS
may be insufficient.
* uinfo.cc (get_logon_sid): Use 64K buffers for the TOKEN_GROUPS
array.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
So far creating cygsids requires to generate an "S-1-..." string
which is then converted to a SID by cygsid::getfromstr.
Add two new methods:
- cygsid::create (DWORD auth, DWORD subauth_count, ...)
... is a variable length list of subauth_count DWORD values being
the actual subauths.
- cygsid::append (DWORD rid)
allows to append a single RID to an alreaday constituted SID.
* security.h (cygsid::create): Declare public.
(cygsid::append): Ditto.
* sec_helper.cc (cygsid::create): Implement.
(cygsid::append): Implement.
* uinfo.cc (pwdgrp::fetch_account_from_windows): Use both new
methods as appropriate. Drop setting csid from string. Create
SID strings for printing SIDs only.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
* uinfo.cc (pwdgrp::fetch_account_from_windows): Only create 1-5-32-x
SIDs from ids for x <= 999.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
* strfuncs.cc (sys_cp_wcstombs): Always return number of multibytes
without trailing NUL as the documentation implies. Throughout Cygwin,
fix usage to align to this pattern.
* fhandler_process.cc (format_process_winexename): Drop trailing NUL
and LF from output.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
* uinfo.cc (cygheap_user::ontherange): Ignore $HOME if it's not
starting with a slash (aka, absolute POSIX Path).
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
* cygheap.h (cygheap_domain_info::add_domain): Add prototype.
* uinfo.cc (cygheap_domain_info::add_domain): New method.
(pwdgrp::fetch_account_from_windows): Try to add domain explicitely
if it was not in the original list of trusted domains and go ahead
rather than bailing out. Add comment to explain why.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
case owner SID == group SID.
(getacl): Reverse order of SID test against group or owner sid to
prefer owner attributes over group attributes. Disable setting group
permissions equivalent to owner permissions if owner == group. Add
comment to explain why. Fix indentation.
* security.cc (get_attribute_from_acl): Change type of local variables
containing permission to mode_t. Apply deny mask to group if group SID
== owner SID to avoid Everyone permissions to spill over into group
permissions. Disable setting group permissions equivalent to owner
permissions if owner == group. Add comment to explain why.
* uinfo.cc (pwdgrp::fetch_account_from_windows): Allow user SID as
group account if user is a "Microsoft Account". Explain why. Drop
workaround enforcing primary group "Users" for "Microsoft Accounts".
(class cyg_ldap): Remove members srch_msg and srch_entry.
(cyg_ldap::get_string_attribute): Remove private method taking index
argument.
(cyg_ldap::get_num_attribute): Ditto. Add method taking attribute name.
(cyg_ldap::get_primary_gid): Adjust to aforementioned change.
(cyg_ldap::get_unix_uid): Ditto.
(cyg_ldap::get_unix_gid): Ditto.
* ldap.cc: Throughout, use msg and entry in place of srch_msg and
srch_entry.
(std_user_attr): Add sAMAccountName and objectSid.
(group_attr): Ditto.
(cyg_ldap::close): Drop handling of srch_msg and srch_entry.
(cyg_ldap::get_string_attribute): Move earlier in file.
(cyg_ldap::get_num_attribute): Ditto.
(cyg_ldap::enumerate_ad_accounts): Add comments for clarity.
Use group_attr or user_attr rather than sid_attr to fetch all desired
attributes for an account right away.
(cyg_ldap::next_account): Store found SID in last_fetched_sid to
skip calls to fetch_ad_account from fetch_account_from_windows.
(cyg_ldap::get_string_attribute): Remove method taking index argument.
(cyg_ldap::get_num_attribute): Ditto.
* pwdgrp.h (class pg_ent): Fix formatting. Add member dom.
* passwd.cc (pg_ent::enumerate_ad): Store current flat domain name
in dom. Construct fetch_acc_t argument from LDAP attributes and
call fetch_account_from_windows with that.
* userinfo.h (enum fetch_user_arg_type_t): Rename FULL_grp_arg to
FULL_acc_arg. Change throughout.
(struct fetch_acc_t): Rename from fetch_full_grp_t. Change throughout.
(struct fetch_user_arg_t): Rename full_grp to full_acc. Change
throughout.
* cygserver_pwdgrp.h: Include userinfo.h. Drop workaround defining
fetch_user_arg_type_t locally.
* grp.cc (internal_getgrsid_cachedonly): New function.
(internal_getgrfull): Ditto.
(internal_getgroups): Rearrange function. Center around fetching all
cached group info first, calling LsaLookupSids on all so far non-cached
groups second. Pass all available info to new internal_getgrfull call.
* pwdgrp.h: Include userinfo.h. Move definitions of
fetch_user_arg_type_t and fetch_user_arg_t there.
(pwdgrp::add_group_from_windows): Declare with getting full group info.
Called from internal_getgrfull.
* uinfo.cc (pwdgrp::add_group_from_windows): Define.
(pwdgrp::fetch_account_from_line): Add default case.
(pwdgrp::fetch_account_from_file): Ditto.
(pwdgrp::fetch_account_from_windows): Handle FULL_grp_arg.
(client_request_pwdgrp::client_request_pwdgrp): Add default case.
* userinfo.h: New header.
(enum fetch_user_arg_type_t): Add FULL_grp_arg.
(struct fetch_full_grp_t): New datatype.
declaration in ldap-related method.
(cygheap_pwdgrp::get_shell): Ditto.
(cygheap_pwdgrp::get_gecos): Ditto.
* ldap.cc (cyg_ldap::open): Use NO_ERROR instead of 0.
(cyg_ldap::close): Reset last_fetched_sid.
(cyg_ldap::fetch_ad_account): Return immediately if sid is the same as
last_fetched_sid. Open LDAP connection from here. Move initialization
of rdse after open call. Set last_fetched_sid if LDAP call was
successful.
* ldap.h (class cyg_ldap): Add member last_fetched_sid.
(cyg_ldap::cyg_ldap): Initialize last_fetched_sid.
(cyg_ldap::is_open): New inline method.
* uinfo.cc (cygheap_pwdgrp::init): Drop initialization of db_home,
db_shell and db_gecos with "cygwin desc", thus only using the fallback
by default.
(fetch_windows_home): Add parameter dnsdomain. Call
cyg_ldap::fetch_ad_account if required.
(fetch_from_path): Add parameter dnsdomain. Call fetch_windows_home
accordingly.
(cygheap_pwdgrp::get_home): Accomodate call to fetch_windows_home.
Add dnsdomain parameter in ldap-related method. Call
cyg_ldap::fetch_ad_account if required.
(cygheap_pwdgrp::get_shell): Ditto.
(cygheap_pwdgrp::get_gecos): Ditto.
(pwdgrp::fetch_account_from_windows): Drop cyg_ldap::open call prior to
cyg_ldap::fetch_ad_account call. Set is_current_user to true if we're
handling the current user account. Make sure to perform the LDAP calls
only for users, and only if required.
2014-11-17, always prepending domain to NT SERVICE accounts when
searching by name. Fix test expression to allow fully qualified
names for NT SERVICE accounts. Extend comment to explain a bit.
(cygheap_pwdgrp::get_gecos): Ditto.
* uinfo.cc (fetch_windows_home): Accept cyg_ldap and PUSER_INFO_3
arguments, and fetch db home dir values right here.
(fetch_from_path): Accept cyg_ldap, PUSER_INFO_3 pointers and sid
arguments. Add '%H' format specifier to fetch Windows home dir in
POSIX notation.
(cygheap_pwdgrp::get_home): Accommodate changes to fetch_windows_home
and fetch_from_path.
(cygheap_pwdgrp::get_shell): Ditto.
(cygheap_pwdgrp::get_gecos): Ditto.
(pwdgrp::fetch_account_from_windows): Accommodate sid argument to
cygheap_pwdgrp::get_shell and cygheap_pwdgrp::get_gecos.
home directory. Include longish comment to explain what we're doing.
(cygheap_pwdgrp::get_home): Take additional sid parameter. In
NSS_SCHEME_WINDOWS case, call fetch_windows_home to create home
directory.
(pwdgrp::fetch_account_from_windows): Call cygheap_pwdgrp::get_home
with additional sid argument.
* cygheap.h (cygheap_pwdgrp::get_home): Align declaration to above
change.
(LoadUserProfileW): Import.
* registry.cc (get_registry_hive_path): Move to sec_auth.cc.
(load_registry_hive): Remove.
* registry.h (get_registry_hive_path): Drop declaration.
(load_registry_hive): Ditto.
* sec_auth.cc (get_user_profile_directory): Moved from registry.cc and
renamed. Take third parameter with buffer length.
(load_user_profile): New function taking over for load_registry_hive.
Use official functions to load profile. If profile is missing, create
it on Vista and later.
* security.h (get_user_profile_directory): Declare.
(load_user_profile): Declare.
* syscalls.cc (seteuid32): Replace call to load_registry_hive with call
to load_user_profile.
* uinfo.cc (cygheap_user::env_userprofile): Replace call to
get_registry_hive_path with call to get_user_profile_directory.
initialize mount table in two steps, system and user, depending on
bool value.
* mount.h (class mount_info): Align declaration of init function to
above change.
* shared.cc (user_info::initialize): Initialize mount table in two
steps to allow internal_getpwsid to create valid POSIX paths from
DOS paths given in AD. Add comments.
* uinfo.cc (cygheap_pwdgrp::get_home): Allow DOS paths in
NSS_SCHEME_FREEATTR attributes.
(cygheap_pwdgrp::get_shell): Ditto.
(install-ldif): New target to install cygwin.ldif.
* cygheap.h (class cygheap_pwdgrp): Rename pfx_t to nss_pfx_t. Add
PFX to enum value. Add nss_scheme_method enum and nss_scheme_t
structure. Add home_scheme, shell_scheme and gecos_scheme members.
(NSS_SCHEME_MAX): Define.
(cygheap_pwdgrp::get_home): Declare.
(cygheap_pwdgrp::get_shell): Declare.
(cygheap_pwdgrp::get_gecos): Declare.
* cygwin.ldif: New file.
* ldap.cc (std_user_attr): New array, just defining the standard
attributes.
(group_attr): Add cygwinUnixGid.
(user_attr): Convert to macro pointing to cygheap->pg.ldap_user_attr.
(cygheap_pwdgrp::init_ldap_user_attr): New method.
(cyg_ldap::fetch_ad_account): Call cygheap_pwdgrp::init_ldap_user_attr
if user_attr initialization is required. Fix comment.
(cyg_ldap::get_string_attribute): Implement taking attribute name
as argument.
* ldap.h: Drop unused macros.
(cyg_ldap::get_gecos): Remove.
(cyg_ldap::get_home): Remove.
(cyg_ldap::get_shell): Remove.
(cyg_ldap::get_string_attribute): Declare name argument variant public.
* uinfo.cc (cygheap_user::ontherange): Fix indentation.
(cygheap_pwdgrp::init): Initialize new home_scheme, shell_scheme and
gecos_scheme members. Align comment.
(NSS_NCMP): Define comparison macro.
(NSS_CMP): Ditto.
(cygheap_pwdgrp::nss_init_line): Use aforementioned macros throughout.
Fix comment handling. Add db_home, db_shell and db_gecos handling.
(fetch_from_description): New function to fetch XML-style attributes
from (description) string.
(fetch_from_path): New function to evaluate path string with wildcards.
(cygheap_pwdgrp::get_home): New methods to fetch pw_dir value.
(cygheap_pwdgrp::get_shell): Ditto for pw_shell.
(cygheap_pwdgrp::get_gecos): Ditto for pw_gecos.
(colon_to_semicolon): Move up.
(pwdgrp::fetch_account_from_windows): Convert home, shell, gecos
variables to char*. Drop statement breaking extended group info.
Fetch home, shell and gecos values using new methods. Use
fetch_from_description calls to fetch UNIX id and primary groups from
SAM comment field. Accommodate uxid being a char* now. Accommodate
the fact that extended info is malloc'ed, rather then alloca'ed.
Create linebuf content as multibyte string. Create line buffer by
just calling cstrdup.
NT SERVICE accounts by name. Always prepend domain to NT SERVICE
accounts. Add U-domain\username string to pw_gecos for predefined
builtin accounts as well.
(init_cygheap::init_installation_root): Set installation_dir_len.
(setup_cygheap): Drop call to set_dll_dir.
* cygheap.h (struct init_cygheap): Add installation_dir_len member.
(init_cygheap::set_dll_dir): Remove.
* environ.cc (win_env::add_cache): Use stpcpy for speed.
(posify_maybe): Use tmp_pathbuf buffer instead of stack.
(raise_envblock): New function to resize Windows environment block.
(build_env): Fix indentation. Call raise_envblock function. Check if
$PATH exists and is non-empty. If not, add PATH variable with Cygwin
installation directory as content to Windows environment. Explain why.
* uinfo.cc (cygheap_pwdgrp::_nss_init): Fill UNICODE_STRING members
on the fly. Drop call to RtlInitUnicodeString.
(pwdgrp::check_file): Ditto.