+2002-11-20 Pierre Humblet <pierre.humblet@ieee.org>
+
+ * security.h: Declare internal_getpwsid and internal_getgrsid.
+ Undeclare internal_getpwent. Define DEFAULT_UID_NT. Change
+ DEFAULT_GID.
+ * passwd.cc (internal_getpwsid): New function.
+ (internal_getpwent): Suppress.
+ (read_etc_passwd): Make static. Rewrite the code for the completion
+ line. Set curr_lines to 0.
+ (parse_pwd): Change type to static int. Return 0 for short lines.
+ (add_pwd_line): Pay attention to the value of parse_pwd.
+ (search_for): Do not look for nor return the DEFAULT_UID.
+ * grp.cc (read_etc_group): Make static. Free gr_mem and set
+ curr_lines to 0. Always call add_pwd_line. Rewrite the code for the
+ completion line.
+ (internal_getgrsid): New function.
+ (parse_grp): If grp.gr_mem is empty, set it to &null_ptr.
+ Never NULL gr_passwd.
+ (getgrgid32): Only return the default if ntsec is off and the gid is
+ ILLEGAL_GID.
+ * sec_helper.cc (cygsid::get_id): Use getpwsid and getgrsid.
+ (cygsid_getfrompw): Clean up last line.
+ (cygsid_getfromgr): Ditto.
+ (is_grp_member): Use getpwuid32 and getgrgid32.
+ * uinfo.cc (internal_getlogin): Set DEFAULT_GID at start.
+ Use getpwsid. Move the read of /etc/group after the second access
+ to /etc/passwd. Change some debug_printf.
+
2002-11-20 Steven O'Brien <steven.obrien2@ntlworld.com>
* poll.cc (poll): ...but set POLLIN instead.
on the first call that needs information from it. */
static struct __group32 *group_buf; /* group contents in memory */
-static int curr_lines;
+static int curr_lines = -1;
static int max_lines;
/* Position in the group cache */
#endif
static pwdgrp_check group_state;
+static char * NO_COPY null_ptr = NULL;
static int
parse_grp (struct __group32 &grp, char *line)
if (dp)
{
*dp++ = '\0';
- if (!strlen (grp.gr_passwd))
- grp.gr_passwd = NULL;
-
grp.gr_gid = strtol (dp, NULL, 10);
dp = strchr (dp, ':');
if (dp)
{
+ grp.gr_mem = &null_ptr;
if (*++dp)
{
int i = 0;
}
namearray[i++] = dp;
namearray[i] = NULL;
+ grp.gr_mem = namearray;
}
- grp.gr_mem = namearray;
}
- else
- grp.gr_mem = (char **) calloc (1, sizeof (char *));
return 1;
}
}
/* Read in /etc/group and save contents in the group cache */
/* This sets group_in_memory_p to 1 so functions in this file can
tell that /etc/group has been read in */
-/* FIXME: should be static but this is called in uinfo_init outside this
- file */
-void
+static void
read_etc_group ()
{
static pwdgrp_read gr;
if (group_state != initializing)
{
group_state = initializing;
+ for (int i = 0; i < curr_lines; i++)
+ if ((group_buf + i)->gr_mem != &null_ptr)
+ free ((group_buf + i)->gr_mem);
+
+ curr_lines = 0;
if (gr.open ("/etc/group"))
{
char *line;
while ((line = gr.gets ()) != NULL)
- if (strlen (line))
- add_grp_line (line);
+ add_grp_line (line);
group_state.set_last_modified (gr.get_fhandle (), gr.get_fname ());
- group_state = loaded;
gr.close ();
debug_printf ("Read /etc/group, %d lines", curr_lines);
}
- else /* /etc/group doesn't exist -- create default one in memory */
- {
- char group_name [UNLEN + 1];
- DWORD group_name_len = UNLEN + 1;
- char domain_name [INTERNET_MAX_HOST_NAME_LENGTH + 1];
- DWORD domain_name_len = INTERNET_MAX_HOST_NAME_LENGTH + 1;
- SID_NAME_USE acType;
+
+ /* Complete /etc/group in memory if needed */
+ if (!getgrgid32 (myself->gid))
+ {
static char linebuf [200];
+ char group_name [UNLEN + 1] = "unknown";
+ char strbuf[128] = "";
if (wincap.has_security ())
- {
- HANDLE ptok;
- cygsid tg;
- DWORD siz;
+ {
+ struct __group32 *gr;
- if (OpenProcessToken (hMainProc, TOKEN_QUERY, &ptok))
- {
- if (GetTokenInformation (ptok, TokenPrimaryGroup, &tg,
- sizeof tg, &siz)
- && LookupAccountSidA (NULL, tg, group_name,
- &group_name_len, domain_name,
- &domain_name_len, &acType))
- {
- char strbuf[100];
- snprintf (linebuf, sizeof (linebuf), "%s:%s:%lu:",
- group_name,
- tg.string (strbuf),
- *GetSidSubAuthority (tg,
- *GetSidSubAuthorityCount (tg) - 1));
- debug_printf ("Emulating /etc/group: %s", linebuf);
- add_grp_line (linebuf);
- group_state = emulated;
- }
- CloseHandle (ptok);
- }
- }
- if (group_state != emulated)
- {
- strncpy (group_name, "Administrators", sizeof (group_name));
- if (!LookupAccountSidA (NULL, well_known_admins_sid, group_name,
- &group_name_len, domain_name,
- &domain_name_len, &acType))
- {
- strcpy (group_name, "unknown");
- debug_printf ("Failed to get local admins group name. %E");
- }
- snprintf (linebuf, sizeof (linebuf), "%s::%u:", group_name,
- (unsigned) DEFAULT_GID);
- debug_printf ("Emulating /etc/group: %s", linebuf);
- add_grp_line (linebuf);
- group_state = emulated;
+ cygheap->user.groups.pgsid.string (strbuf);
+ if ((gr = internal_getgrsid (cygheap->user.groups.pgsid)))
+ strlcpy (group_name, gr->gr_name, sizeof (group_name));
}
+ snprintf (linebuf, sizeof (linebuf), "%s:%s:%lu:%s",
+ group_name, strbuf, myself->gid, cygheap->user.name ());
+ debug_printf ("Completing /etc/group: %s", linebuf);
+ add_grp_line (linebuf);
}
+ group_state = loaded;
}
-
return;
}
+struct __group32 *
+internal_getgrsid (cygsid &sid)
+{
+ char sid_string[128];
+
+ if (curr_lines < 0 && group_state <= initializing)
+ read_etc_group ();
+
+ if (sid.string (sid_string))
+ for (int i = 0; i < curr_lines; i++)
+ if (!strcmp (sid_string, (group_buf + i)->gr_passwd))
+ return group_buf + i;
+ return NULL;
+}
+
static
struct __group16 *
grp32togrp16 (struct __group16 *gp16, struct __group32 *gp32)
for (int i = 0; i < curr_lines; i++)
{
- if (group_buf[i].gr_gid == DEFAULT_GID)
+ if (group_buf[i].gr_gid == myself->gid)
default_grp = group_buf + i;
if (group_buf[i].gr_gid == gid)
return group_buf + i;
}
-
- return allow_ntsec ? NULL : default_grp;
+ return allow_ntsec || gid != ILLEGAL_GID ? NULL : default_grp;
}
extern "C" struct __group16 *
for (int gidy = 0; gidy < gidx; gidy++)
if (grouplist[gidy] == grouplist[gidx])
goto found; /* Duplicate */
- for (int gidy = 0; (gr = internal_getgrent (gidy)); ++gidy)
- if (gr->gr_gid == (__gid32_t) grouplist[gidx])
- {
- if (gsids.addfromgr (gr))
- goto found;
- break;
- }
+ if ((gr = getgrgid32 (grouplist[gidx])) &&
+ gsids.addfromgr (gr))
+ goto found;
debug_printf ("No sid found for gid %d", grouplist[gidx]);
gsids.free_sids ();
set_errno (EINVAL);
on the first call that needs information from it. */
static struct passwd *passwd_buf; /* passwd contents in memory */
-static int curr_lines;
+static int curr_lines = -1;
static int max_lines;
static pwdgrp_check passwd_state;
}
/* Parse /etc/passwd line into passwd structure. */
-void
+static int
parse_pwd (struct passwd &res, char *buf)
{
/* Allocate enough room for the passwd struct and all the strings
size_t len = strlen (buf);
if (buf[--len] == '\r')
buf[len] = '\0';
+ if (len < 6)
+ return 0;
res.pw_name = grab_string (&buf);
res.pw_passwd = grab_string (&buf);
res.pw_gecos = grab_string (&buf);
res.pw_dir = grab_string (&buf);
res.pw_shell = grab_string (&buf);
+ return 1;
}
/* Add one line from /etc/passwd into the password cache */
max_lines += 10;
passwd_buf = (struct passwd *) realloc (passwd_buf, max_lines * sizeof (struct passwd));
}
- parse_pwd (passwd_buf[curr_lines++], line);
+ if (parse_pwd (passwd_buf[curr_lines], line))
+ curr_lines++;
}
class passwd_lock
pthread_mutex_t NO_COPY passwd_lock::mutex = (pthread_mutex_t) PTHREAD_MUTEX_INITIALIZER;
+/* Cygwin internal */
+/* If this ever becomes non-reentrant, update all the getpw*_r functions */
+static struct passwd *
+search_for (__uid32_t uid, const char *name)
+{
+ struct passwd *res = 0;
+
+ for (int i = 0; i < curr_lines; i++)
+ {
+ res = passwd_buf + i;
+ /* on Windows NT user names are case-insensitive */
+ if (name)
+ {
+ if (strcasematch (name, res->pw_name))
+ return res;
+ }
+ else if (uid == (__uid32_t) res->pw_uid)
+ return res;
+ }
+ return NULL;
+}
+
/* Read in /etc/passwd and save contents in the password cache.
This sets passwd_state to loaded or emulated so functions in this file can
tell that /etc/passwd has been read in or will be emulated. */
-void
+static void
read_etc_passwd ()
{
static pwdgrp_read pr;
if (passwd_state != initializing)
{
passwd_state = initializing;
+ curr_lines = 0;
if (pr.open ("/etc/passwd"))
{
char *line;
while ((line = pr.gets ()) != NULL)
- if (strlen (line))
- add_pwd_line (line);
+ add_pwd_line (line);
passwd_state.set_last_modified (pr.get_fhandle (), pr.get_fname ());
- passwd_state = loaded;
pr.close ();
debug_printf ("Read /etc/passwd, %d lines", curr_lines);
}
- else
+
+ static char linebuf[1024];
+ char strbuf[128] = "";
+ BOOL searchentry = TRUE;
+ __uid32_t default_uid = DEFAULT_UID;
+ struct passwd *pw;
+
+ if (wincap.has_security ())
{
- static char linebuf[1024];
-
- if (wincap.has_security ())
- {
- HANDLE ptok;
- cygsid tu, tg;
- DWORD siz;
-
- if (OpenProcessToken (hMainProc, TOKEN_QUERY, &ptok))
- {
- if (GetTokenInformation (ptok, TokenUser, &tu, sizeof tu,
- &siz)
- && GetTokenInformation (ptok, TokenPrimaryGroup, &tg,
- sizeof tg, &siz))
- {
- char strbuf[100];
- snprintf (linebuf, sizeof (linebuf),
- "%s::%lu:%lu:%s:%s:/bin/sh",
- cygheap->user.name (),
- *GetSidSubAuthority (tu,
- *GetSidSubAuthorityCount(tu) - 1),
- *GetSidSubAuthority (tg,
- *GetSidSubAuthorityCount(tg) - 1),
- tu.string (strbuf), getenv ("HOME") ?: "/");
- debug_printf ("Emulating /etc/passwd: %s", linebuf);
- add_pwd_line (linebuf);
- passwd_state = emulated;
- }
- CloseHandle (ptok);
- }
- }
- if (passwd_state != emulated)
- {
- snprintf (linebuf, sizeof (linebuf), "%s::%u:%u::%s:/bin/sh",
- cygheap->user.name (), (unsigned) DEFAULT_UID,
- (unsigned) DEFAULT_GID, getenv ("HOME") ?: "/");
- debug_printf ("Emulating /etc/passwd: %s", linebuf);
- add_pwd_line (linebuf);
- passwd_state = emulated;
- }
+ cygsid tu = cygheap->user.sid ();
+ tu.string (strbuf);
+ if (myself->uid == ILLEGAL_UID
+ && (searchentry = !internal_getpwsid (tu)))
+ default_uid = DEFAULT_UID_NT;
}
-
+ if (searchentry &&
+ (!(pw = search_for (0, cygheap->user.name ())) ||
+ (myself->uid != ILLEGAL_UID &&
+ myself->uid != (__uid32_t) pw->pw_uid &&
+ !search_for (myself->uid, NULL))))
+ {
+ snprintf (linebuf, sizeof (linebuf), "%s:*:%lu:%lu:,%s:%s:/bin/sh",
+ cygheap->user.name (),
+ myself->uid == ILLEGAL_UID ? default_uid : myself->uid,
+ myself->gid,
+ strbuf, getenv ("HOME") ?: "/");
+ debug_printf ("Completing /etc/passwd: %s", linebuf);
+ add_pwd_line (linebuf);
+ }
+ passwd_state = loaded;
}
-
return;
}
-/* Cygwin internal */
-/* If this ever becomes non-reentrant, update all the getpw*_r functions */
-static struct passwd *
-search_for (__uid32_t uid, const char *name)
+struct passwd *
+internal_getpwsid (cygsid &sid)
{
- struct passwd *res = 0;
- struct passwd *default_pw = 0;
+ struct passwd *pw;
+ char *ptr1, *ptr2, *endptr;
+ char sid_string[128] = {0,','};
- for (int i = 0; i < curr_lines; i++)
+ if (curr_lines < 0 && passwd_state <= initializing)
+ read_etc_passwd ();
+
+ if (sid.string (sid_string + 2))
{
- res = passwd_buf + i;
- if (res->pw_uid == DEFAULT_UID)
- default_pw = res;
- /* on Windows NT user names are case-insensitive */
- if (name)
- {
- if (strcasematch (name, res->pw_name))
- return res;
- }
- else if (uid == (__uid32_t) res->pw_uid)
- return res;
+ endptr = strchr (sid_string + 2, 0) - 1;
+ for (int i = 0; i < curr_lines; i++)
+ if ((pw = passwd_buf + i)->pw_dir > pw->pw_gecos + 8)
+ for (ptr1 = endptr, ptr2 = pw->pw_dir - 2;
+ *ptr1 == *ptr2; ptr2--)
+ if (!*--ptr1)
+ return pw;
}
-
- /* Return default passwd entry if passwd is emulated or it's a
- request for the current user. */
- if (passwd_state != loaded
- || (!name && uid == myself->uid)
- || (name && strcasematch (name, cygheap->user.name ())))
- return default_pw;
-
return NULL;
}
return 0;
}
+#if 0 /* Unused */
/* Internal function. ONLY USE THIS INTERNALLY, NEVER `getpwent'!!! */
struct passwd *
internal_getpwent (int pos)
return passwd_buf + pos;
return NULL;
}
+#endif
extern "C" char *
getpass (const char * prompt)
cygsid::getfrompw (const struct passwd *pw)
{
char *sp = (pw && pw->pw_gecos) ? strrchr (pw->pw_gecos, ',') : NULL;
- return (*this = sp ? sp + 1 : "") != NULL;
+ return (*this = sp ? sp + 1 : sp) != NULL;
}
BOOL
cygsid::getfromgr (const struct __group32 *gr)
{
char *sp = (gr && gr->gr_passwd) ? gr->gr_passwd : NULL;
- return (*this = sp ?: "") != NULL;
+ return (*this = sp) != NULL;
}
__uid32_t
cygsid::get_id (BOOL search_grp, int *type)
{
/* First try to get SID from passwd or group entry */
- cygsid sid;
__uid32_t id = ILLEGAL_UID;
if (!search_grp)
struct passwd *pw;
if (*this == cygheap->user.sid ())
id = myself->uid;
- else
- for (int pidx = 0; (pw = internal_getpwent (pidx)); ++pidx)
- {
- if (sid.getfrompw (pw) && sid == psid)
- {
- id = pw->pw_uid;
- break;
- }
- }
+ else if ((pw = internal_getpwsid (*this)))
+ id = pw->pw_uid;
if (id != ILLEGAL_UID)
{
if (type)
*type = USER;
return id;
- }
+ }
}
if (search_grp || type)
{
struct __group32 *gr;
if (cygheap->user.groups.pgsid == psid)
id = myself->gid;
- else
- for (int gidx = 0; (gr = internal_getgrent (gidx)); ++gidx)
- {
- if (sid.getfromgr (gr) && sid == psid)
- {
- id = gr->gr_gid;
- break;
- }
- }
- if (id != ILLEGAL_UID)
- {
- if (type)
- *type = GROUP;
- }
- }
+ else if ((gr = internal_getgrsid (*this)))
+ id = gr->gr_gid;
+ if (id != ILLEGAL_UID && type)
+ *type = GROUP;
+ }
return id;
}
}
/* Otherwise try getting info from examining passwd and group files. */
- for (int idx = 0; (pw = internal_getpwent (idx)); ++idx)
- if ((__uid32_t) pw->pw_uid == uid)
- {
- /* If gid == primary group of uid, return immediately. */
- if ((__gid32_t) pw->pw_gid == gid)
- return TRUE;
- /* Otherwise search for supplementary user list of this group. */
- for (idx = 0; (gr = internal_getgrent (idx)); ++idx)
- if ((__gid32_t) gr->gr_gid == gid)
- {
- if (gr->gr_mem)
- for (idx = 0; gr->gr_mem[idx]; ++idx)
- if (strcasematch (cygheap->user.name (), gr->gr_mem[idx]))
- return TRUE;
- return FALSE;
- }
- return FALSE;
- }
+ if ((pw = getpwuid32 (uid)))
+ {
+ /* If gid == primary group of uid, return immediately. */
+ if ((__gid32_t) pw->pw_gid == gid)
+ return TRUE;
+ /* Otherwise search for supplementary user list of this group. */
+ if ((gr = getgrgid32 (gid)) && gr->gr_mem)
+ for (idx = 0; gr->gr_mem[idx]; ++idx)
+ if (strcasematch (cygheap->user.name (), gr->gr_mem[idx]))
+ return TRUE;
+ }
return FALSE;
}
#include <accctrl.h>
#define DEFAULT_UID DOMAIN_USER_RID_ADMIN
-#define DEFAULT_GID DOMAIN_ALIAS_RID_ADMINS
+#define DEFAULT_UID_NT 400 /* Non conflicting number */
+#define DEFAULT_GID 401
#define MAX_SID_LEN 40
#define MAX_DACL_LEN(n) (sizeof (ACL) \
extern BOOL allow_ntsec;
extern BOOL allow_smbntsec;
-/* These both functions are needed to allow walking through the passwd
+/* These functions are needed to allow walking through the passwd
and group lists so they are somehow security related. Besides that
I didn't find a better place to declare them. */
-extern struct passwd *internal_getpwent (int);
extern struct __group32 *internal_getgrent (int);
+extern struct passwd *internal_getpwsid (cygsid &);
+extern struct __group32 *internal_getgrsid (cygsid &);
/* File manipulation */
int __stdcall set_process_privileges ();
internal_getlogin (cygheap_user &user)
{
struct passwd *pw = NULL;
+ HANDLE ptok = INVALID_HANDLE_VALUE;
+ myself->gid = DEFAULT_GID;
if (wincap.has_security ())
{
- HANDLE ptok = INVALID_HANDLE_VALUE;
DWORD siz;
cygsid tu;
DWORD ret = 0;
If we have a SID, try to get the corresponding Cygwin
password entry. Set user name which can be different
from the Windows user name */
- if (ret)
- {
- cygsid gsid (NO_SID);
- cygsid psid;
-
- for (int pidx = 0; (pw = internal_getpwent (pidx)); ++pidx)
- if (psid.getfrompw (pw) && EqualSid (user.sid (), psid))
- {
- user.set_name (pw->pw_name);
- struct __group32 *gr = getgrgid32 (pw->pw_gid);
- if (gr)
- if (!gsid.getfromgr (gr))
- gsid = NO_SID;
- break;
- }
-
- /* Set token owner to the same value as token user and
- primary group to the group in /etc/passwd. */
+ if (ret)
+ {
+ if ((pw = internal_getpwsid (tu)))
+ user.set_name (pw->pw_name);
+ /* Set token owner to the same value as token user */
if (!SetTokenInformation (ptok, TokenOwner, &tu, sizeof tu))
debug_printf ("SetTokenInformation(TokenOwner): %E");
- if (gsid)
- {
- user.groups.pgsid = gsid;
- if (!SetTokenInformation (ptok, TokenPrimaryGroup,
- &gsid, sizeof gsid))
- debug_printf ("SetTokenInformation(TokenPrimaryGroup): %E");
- }
}
- if (ptok != INVALID_HANDLE_VALUE)
- CloseHandle (ptok);
}
- if (!pw)
- pw = getpwnam (user.name ());
-
- if (pw)
+ if (!pw && !(pw = getpwnam (user.name ())))
+ debug_printf("user name not found in augmented /etc/passwd");
+ else
{
myself->uid = pw->pw_uid;
myself->gid = pw->pw_gid;
+ if (wincap.has_security ())
+ {
+ cygsid gsid;
+ if (gsid.getfromgr (getgrgid32 (pw->pw_gid)))
+ {
+ /* Set primary group to the group in /etc/passwd. */
+ user.groups.pgsid = gsid;
+ if (!SetTokenInformation (ptok, TokenPrimaryGroup,
+ &gsid, sizeof gsid))
+ debug_printf ("SetTokenInformation(TokenPrimaryGroup): %E");
+ }
+ else
+ debug_printf ("gsid not found in augmented /etc/group");
+ }
}
- else
- {
- myself->uid = DEFAULT_UID;
- myself->gid = DEFAULT_GID;
- }
-
+ if (ptok != INVALID_HANDLE_VALUE)
+ CloseHandle (ptok);
(void) cygheap->user.ontherange (CH_HOME, pw);
return;
OSDN Git Service
