Cygwin: seteuid: work with password-less user switch as well
The previous patch failed with password-less auth because in that case the return code from get_server_groups wasn't tested. Fix that. Also make sure that get_server_groups does not check if the account is disabled or locked out when just fetching the group list for initgroups or getgrouplist. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
parent
2c12a2c32a
commit
02373d8bec
@ -738,7 +738,7 @@ get_groups (const char *user, gid_t gid, cygsidlist &gsids)
|
||||
struct group *grp = internal_getgrgid (gid, &cldap);
|
||||
cygsid usersid, grpsid;
|
||||
if (usersid.getfrompw (pw))
|
||||
get_server_groups (gsids, usersid);
|
||||
get_server_groups (gsids, usersid, NO_CHK_DISABLED);
|
||||
if (gid != ILLEGAL_GID && grpsid.getfromgr (grp))
|
||||
gsids += grpsid;
|
||||
cygheap->user.reimpersonate ();
|
||||
|
@ -523,7 +523,8 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps)
|
||||
}
|
||||
|
||||
bool
|
||||
get_server_groups (cygsidlist &grp_list, PSID usersid)
|
||||
get_server_groups (cygsidlist &grp_list, PSID usersid,
|
||||
acct_disabled_chk_t check_account_disabled)
|
||||
{
|
||||
WCHAR user[UNLEN + 1];
|
||||
WCHAR domain[MAX_DOMAIN_NAME_LEN + 1];
|
||||
@ -552,6 +553,8 @@ get_server_groups (cygsidlist &grp_list, PSID usersid)
|
||||
if (sid_id_auth (usersid) == 5 /* SECURITY_NT_AUTHORITY */
|
||||
&& sid_sub_auth (usersid, 0) == SECURITY_NT_NON_UNIQUE
|
||||
&& get_logon_server (domain, server, DS_IS_FLAT_NAME))
|
||||
{
|
||||
if (check_account_disabled == CHK_DISABLED)
|
||||
{
|
||||
NET_API_STATUS napi_stat;
|
||||
USER_INFO_1 *ui1;
|
||||
@ -568,6 +571,7 @@ get_server_groups (cygsidlist &grp_list, PSID usersid)
|
||||
set_errno (EACCES);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
get_user_groups (server, grp_list, user, domain);
|
||||
get_user_local_groups (server, domain, grp_list, user);
|
||||
}
|
||||
@ -582,7 +586,7 @@ get_initgroups_sidlist (cygsidlist &grp_list, PSID usersid, PSID pgrpsid,
|
||||
grp_list *= well_known_authenticated_users_sid;
|
||||
if (well_known_system_sid != usersid)
|
||||
get_token_group_sidlist (grp_list, my_grps);
|
||||
if (!get_server_groups (grp_list, usersid))
|
||||
if (!get_server_groups (grp_list, usersid, CHK_DISABLED))
|
||||
return false;
|
||||
|
||||
/* special_pgrp true if pgrpsid is not in normal groups */
|
||||
@ -590,17 +594,19 @@ get_initgroups_sidlist (cygsidlist &grp_list, PSID usersid, PSID pgrpsid,
|
||||
return true;
|
||||
}
|
||||
|
||||
static void
|
||||
static bool
|
||||
get_setgroups_sidlist (cygsidlist &tmp_list, PSID usersid,
|
||||
PTOKEN_GROUPS my_grps, user_groups &groups)
|
||||
{
|
||||
tmp_list *= well_known_world_sid;
|
||||
tmp_list *= well_known_authenticated_users_sid;
|
||||
get_token_group_sidlist (tmp_list, my_grps);
|
||||
get_server_groups (tmp_list, usersid);
|
||||
if (!get_server_groups (tmp_list, usersid, CHK_DISABLED))
|
||||
return false;
|
||||
for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)
|
||||
tmp_list += groups.sgsids.sids[gidx];
|
||||
tmp_list += groups.pgsid;
|
||||
return true;
|
||||
}
|
||||
|
||||
/* Fixed size TOKEN_PRIVILEGES list to reflect privileges given to the
|
||||
@ -953,7 +959,10 @@ create_token (cygsid &usersid, user_groups &new_groups)
|
||||
|
||||
/* Create list of groups, the user is member in. */
|
||||
if (new_groups.issetgroups ())
|
||||
get_setgroups_sidlist (tmp_gsids, usersid, my_tok_gsids, new_groups);
|
||||
{
|
||||
if (!get_setgroups_sidlist (tmp_gsids, usersid, my_tok_gsids, new_groups))
|
||||
goto out;
|
||||
}
|
||||
else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid,
|
||||
my_tok_gsids))
|
||||
goto out;
|
||||
@ -1089,7 +1098,10 @@ lsaauth (cygsid &usersid, user_groups &new_groups)
|
||||
|
||||
/* Create list of groups, the user is member in. */
|
||||
if (new_groups.issetgroups ())
|
||||
get_setgroups_sidlist (tmp_gsids, usersid, NULL, new_groups);
|
||||
{
|
||||
if (!get_setgroups_sidlist (tmp_gsids, usersid, NULL, new_groups))
|
||||
goto out;
|
||||
}
|
||||
else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid,
|
||||
NULL))
|
||||
goto out;
|
||||
|
@ -482,7 +482,13 @@ HANDLE lsaprivkeyauth (struct passwd *pw);
|
||||
/* Verify an existing token */
|
||||
bool verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern = NULL);
|
||||
/* Get groups of a user */
|
||||
bool get_server_groups (cygsidlist &grp_list, PSID usersid);
|
||||
enum acct_disabled_chk_t {
|
||||
NO_CHK_DISABLED = 0,
|
||||
CHK_DISABLED = 1
|
||||
};
|
||||
|
||||
bool get_server_groups (cygsidlist &grp_list, PSID usersid,
|
||||
acct_disabled_chk_t check_account_disabled);
|
||||
|
||||
/* Extract U-domain\user field from passwd entry. */
|
||||
void extract_nt_dom_user (const struct passwd *pw, PWCHAR domain, PWCHAR user);
|
||||
|
Loading…
Reference in New Issue
Block a user