* passwd.cc (pg_ent::enumerate_builtin): Convert pwd_builtins and

grp_builtins to array of cygpsid pointers.  Replace SID strings with
	pointers to well known SIDs.
	* sec_helper.cc (well_known_local_service_sid): Define.
	(well_known_network_service_sid): Define.
	(trusted_installer_sid): Define.
	* security.h (well_known_local_service_sid): Declare.
	(well_known_network_service_sid): Declare.
	(trusted_installer_sid): Declare.
	* uinfo.cc (pwdgrp::fetch_account_from_windows): Throughout set acc_type
	to SidTypeUnknown if LookupAccountXXX function failed.  Create
	simplified passwd entry for non-user accounts, except for LocalSystem.
	Add comment.
This commit is contained in:
Corinna Vinschen 2014-03-06 18:54:08 +00:00
parent 722c840b35
commit 29adfd78bd
5 changed files with 49 additions and 20 deletions

View File

@ -1,3 +1,19 @@
2014-03-06 Corinna Vinschen <corinna@vinschen.de>
* passwd.cc (pg_ent::enumerate_builtin): Convert pwd_builtins and
grp_builtins to array of cygpsid pointers. Replace SID strings with
pointers to well known SIDs.
* sec_helper.cc (well_known_local_service_sid): Define.
(well_known_network_service_sid): Define.
(trusted_installer_sid): Define.
* security.h (well_known_local_service_sid): Declare.
(well_known_network_service_sid): Declare.
(trusted_installer_sid): Declare.
* uinfo.cc (pwdgrp::fetch_account_from_windows): Throughout set acc_type
to SidTypeUnknown if LookupAccountXXX function failed. Create
simplified passwd entry for non-user accounts, except for LocalSystem.
Add comment.
2014-03-06 Corinna Vinschen <corinna@vinschen.de>
* setlsapwd.cc (setlsapwd): Use RtlSecureZeroMemory to delete password

View File

@ -467,36 +467,27 @@ pg_ent::enumerate_file ()
void *
pg_ent::enumerate_builtin ()
{
static const char *pwd_builtins[] = {
/* SYSTEM */
"S-1-5-18",
/* LocalService */
"S-1-5-19",
/* NetworkService */
"S-1-5-20",
/* Administrators */
"S-1-5-32-544",
/* TrustedInstaller */
"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464",
/* The end */
static cygpsid *pwd_builtins[] = {
&well_known_system_sid,
&well_known_local_service_sid,
&well_known_network_service_sid,
&well_known_admins_sid,
&trusted_installer_sid,
NULL
};
static const char *grp_builtins[] = {
/* SYSTEM */
"S-1-5-18",
/* TrustedInstaller */
"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464",
/* The end */
static cygpsid *grp_builtins[] = {
&well_known_system_sid,
&trusted_installer_sid,
NULL
};
const char **builtins = group ? grp_builtins : pwd_builtins;
cygpsid **builtins = group ? grp_builtins : pwd_builtins;
if (!builtins[cnt])
{
cnt = max = resume = 0;
return NULL;
}
cygsid sid (builtins[cnt++]);
cygsid sid (*builtins[cnt++]);
fetch_user_arg_t arg;
arg.type = SID_arg;
arg.sid = &sid;

View File

@ -66,6 +66,10 @@ MKSID (well_known_this_org_sid, "S-1-5-15",
SECURITY_NT_AUTHORITY, 1, 15);
MKSID (well_known_system_sid, "S-1-5-18",
SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SYSTEM_RID);
MKSID (well_known_local_service_sid, "S-1-5-19",
SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SERVICE_RID);
MKSID (well_known_network_service_sid, "S-1-5-20",
SECURITY_NT_AUTHORITY, 1, SECURITY_NETWORK_SERVICE_RID);
MKSID (well_known_builtin_sid, "S-1-5-32",
SECURITY_NT_AUTHORITY, 1, SECURITY_BUILTIN_DOMAIN_RID);
MKSID (well_known_admins_sid, "S-1-5-32-544",
@ -74,6 +78,11 @@ MKSID (well_known_admins_sid, "S-1-5-32-544",
MKSID (well_known_users_sid, "S-1-5-32-545",
SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_USERS);
MKSID (trusted_installer_sid,
"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464",
SECURITY_NT_AUTHORITY, SECURITY_SERVICE_ID_RID_COUNT,
SECURITY_SERVICE_ID_BASE_RID, 956008885U, 3418522649U, 1831038044U,
1853292631U, 2271478464U);
MKSID (mandatory_medium_integrity_sid, "S-1-16-8192",
SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_MEDIUM_RID);
MKSID (mandatory_high_integrity_sid, "S-1-16-12288",

View File

@ -385,9 +385,12 @@ extern cygpsid well_known_service_sid;
extern cygpsid well_known_authenticated_users_sid;
extern cygpsid well_known_this_org_sid;
extern cygpsid well_known_system_sid;
extern cygpsid well_known_local_service_sid;
extern cygpsid well_known_network_service_sid;
extern cygpsid well_known_builtin_sid;
extern cygpsid well_known_admins_sid;
extern cygpsid well_known_users_sid;
extern cygpsid trusted_installer_sid;
extern cygpsid mandatory_medium_integrity_sid;
extern cygpsid mandatory_high_integrity_sid;
extern cygpsid mandatory_system_integrity_sid;

View File

@ -1721,6 +1721,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, bool group,
uid = 0xffe;
wcpcpy (name = namebuf, L"OtherSession");
}
acc_type = SidTypeUnknown;
}
else if (sid_id_auth (sid) == 18)
{
@ -1733,6 +1734,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, bool group,
? (PWCHAR) L"Authentication authority asserted identity"
: (PWCHAR) L"Service asserted identity");
name_style = plus_prepended;
acc_type = SidTypeUnknown;
}
else if (sid_id_auth (sid) == 22)
{
@ -1747,6 +1749,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, bool group,
wcpcpy (p, sid_sub_auth (sid, 0) == 1 ? L"User" : L"Group");
__small_swprintf (name = namebuf, L"%d", uid & UNIX_POSIX_MASK);
name_style = fully_qualified;
acc_type = SidTypeUnknown;
}
else
{
@ -1787,6 +1790,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, bool group,
wcpcpy (name = namebuf, group ? L"Group" : L"User");
}
name_style = fully_qualified;
acc_type = SidTypeUnknown;
}
tmp_pathbuf tp;
@ -1806,6 +1810,12 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, bool group,
if (group)
__small_swprintf (linebuf, L"%W:%W:%u:",
posix_name, sid.string (sidstr), uid);
/* For non-users, create a passwd entry which doesn't allow interactive
logon. Unless it's the SYSTEM account. This conveniently allows to
long interactively as SYSTEM for debugging purposes. */
else if (acc_type != SidTypeUser && sid != well_known_system_sid)
__small_swprintf (linebuf, L"%W:*:%u:%u:,%W:/:/sbin/nologin",
posix_name, uid, gid, sid.string (sidstr));
else
__small_swprintf (linebuf, L"%W:*:%u:%u:%W%WU-%W\\%W,%W:%W%W:%W",
posix_name, uid, gid,