From 29adfd78bd5870268f0b930f25374f7299dd7e8d Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Thu, 6 Mar 2014 18:54:08 +0000 Subject: [PATCH] * passwd.cc (pg_ent::enumerate_builtin): Convert pwd_builtins and grp_builtins to array of cygpsid pointers. Replace SID strings with pointers to well known SIDs. * sec_helper.cc (well_known_local_service_sid): Define. (well_known_network_service_sid): Define. (trusted_installer_sid): Define. * security.h (well_known_local_service_sid): Declare. (well_known_network_service_sid): Declare. (trusted_installer_sid): Declare. * uinfo.cc (pwdgrp::fetch_account_from_windows): Throughout set acc_type to SidTypeUnknown if LookupAccountXXX function failed. Create simplified passwd entry for non-user accounts, except for LocalSystem. Add comment. --- winsup/cygwin/ChangeLog | 16 ++++++++++++++++ winsup/cygwin/passwd.cc | 31 +++++++++++-------------------- winsup/cygwin/sec_helper.cc | 9 +++++++++ winsup/cygwin/security.h | 3 +++ winsup/cygwin/uinfo.cc | 10 ++++++++++ 5 files changed, 49 insertions(+), 20 deletions(-) diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 136dafb1f..9dabf5c77 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,19 @@ +2014-03-06 Corinna Vinschen + + * passwd.cc (pg_ent::enumerate_builtin): Convert pwd_builtins and + grp_builtins to array of cygpsid pointers. Replace SID strings with + pointers to well known SIDs. + * sec_helper.cc (well_known_local_service_sid): Define. + (well_known_network_service_sid): Define. + (trusted_installer_sid): Define. + * security.h (well_known_local_service_sid): Declare. + (well_known_network_service_sid): Declare. + (trusted_installer_sid): Declare. + * uinfo.cc (pwdgrp::fetch_account_from_windows): Throughout set acc_type + to SidTypeUnknown if LookupAccountXXX function failed. Create + simplified passwd entry for non-user accounts, except for LocalSystem. + Add comment. + 2014-03-06 Corinna Vinschen * setlsapwd.cc (setlsapwd): Use RtlSecureZeroMemory to delete password diff --git a/winsup/cygwin/passwd.cc b/winsup/cygwin/passwd.cc index 70759086f..cbe0945d6 100644 --- a/winsup/cygwin/passwd.cc +++ b/winsup/cygwin/passwd.cc @@ -467,36 +467,27 @@ pg_ent::enumerate_file () void * pg_ent::enumerate_builtin () { - static const char *pwd_builtins[] = { - /* SYSTEM */ - "S-1-5-18", - /* LocalService */ - "S-1-5-19", - /* NetworkService */ - "S-1-5-20", - /* Administrators */ - "S-1-5-32-544", - /* TrustedInstaller */ - "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464", - /* The end */ + static cygpsid *pwd_builtins[] = { + &well_known_system_sid, + &well_known_local_service_sid, + &well_known_network_service_sid, + &well_known_admins_sid, + &trusted_installer_sid, NULL }; - static const char *grp_builtins[] = { - /* SYSTEM */ - "S-1-5-18", - /* TrustedInstaller */ - "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464", - /* The end */ + static cygpsid *grp_builtins[] = { + &well_known_system_sid, + &trusted_installer_sid, NULL }; - const char **builtins = group ? grp_builtins : pwd_builtins; + cygpsid **builtins = group ? grp_builtins : pwd_builtins; if (!builtins[cnt]) { cnt = max = resume = 0; return NULL; } - cygsid sid (builtins[cnt++]); + cygsid sid (*builtins[cnt++]); fetch_user_arg_t arg; arg.type = SID_arg; arg.sid = &sid; diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index 69df2baf8..122776f43 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -66,6 +66,10 @@ MKSID (well_known_this_org_sid, "S-1-5-15", SECURITY_NT_AUTHORITY, 1, 15); MKSID (well_known_system_sid, "S-1-5-18", SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SYSTEM_RID); +MKSID (well_known_local_service_sid, "S-1-5-19", + SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SERVICE_RID); +MKSID (well_known_network_service_sid, "S-1-5-20", + SECURITY_NT_AUTHORITY, 1, SECURITY_NETWORK_SERVICE_RID); MKSID (well_known_builtin_sid, "S-1-5-32", SECURITY_NT_AUTHORITY, 1, SECURITY_BUILTIN_DOMAIN_RID); MKSID (well_known_admins_sid, "S-1-5-32-544", @@ -74,6 +78,11 @@ MKSID (well_known_admins_sid, "S-1-5-32-544", MKSID (well_known_users_sid, "S-1-5-32-545", SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS); +MKSID (trusted_installer_sid, + "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464", + SECURITY_NT_AUTHORITY, SECURITY_SERVICE_ID_RID_COUNT, + SECURITY_SERVICE_ID_BASE_RID, 956008885U, 3418522649U, 1831038044U, + 1853292631U, 2271478464U); MKSID (mandatory_medium_integrity_sid, "S-1-16-8192", SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_MEDIUM_RID); MKSID (mandatory_high_integrity_sid, "S-1-16-12288", diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h index 887634ae0..7af737fd7 100644 --- a/winsup/cygwin/security.h +++ b/winsup/cygwin/security.h @@ -385,9 +385,12 @@ extern cygpsid well_known_service_sid; extern cygpsid well_known_authenticated_users_sid; extern cygpsid well_known_this_org_sid; extern cygpsid well_known_system_sid; +extern cygpsid well_known_local_service_sid; +extern cygpsid well_known_network_service_sid; extern cygpsid well_known_builtin_sid; extern cygpsid well_known_admins_sid; extern cygpsid well_known_users_sid; +extern cygpsid trusted_installer_sid; extern cygpsid mandatory_medium_integrity_sid; extern cygpsid mandatory_high_integrity_sid; extern cygpsid mandatory_system_integrity_sid; diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc index ef8128265..efda17a1f 100644 --- a/winsup/cygwin/uinfo.cc +++ b/winsup/cygwin/uinfo.cc @@ -1721,6 +1721,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, bool group, uid = 0xffe; wcpcpy (name = namebuf, L"OtherSession"); } + acc_type = SidTypeUnknown; } else if (sid_id_auth (sid) == 18) { @@ -1733,6 +1734,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, bool group, ? (PWCHAR) L"Authentication authority asserted identity" : (PWCHAR) L"Service asserted identity"); name_style = plus_prepended; + acc_type = SidTypeUnknown; } else if (sid_id_auth (sid) == 22) { @@ -1747,6 +1749,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, bool group, wcpcpy (p, sid_sub_auth (sid, 0) == 1 ? L"User" : L"Group"); __small_swprintf (name = namebuf, L"%d", uid & UNIX_POSIX_MASK); name_style = fully_qualified; + acc_type = SidTypeUnknown; } else { @@ -1787,6 +1790,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, bool group, wcpcpy (name = namebuf, group ? L"Group" : L"User"); } name_style = fully_qualified; + acc_type = SidTypeUnknown; } tmp_pathbuf tp; @@ -1806,6 +1810,12 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, bool group, if (group) __small_swprintf (linebuf, L"%W:%W:%u:", posix_name, sid.string (sidstr), uid); + /* For non-users, create a passwd entry which doesn't allow interactive + logon. Unless it's the SYSTEM account. This conveniently allows to + long interactively as SYSTEM for debugging purposes. */ + else if (acc_type != SidTypeUser && sid != well_known_system_sid) + __small_swprintf (linebuf, L"%W:*:%u:%u:,%W:/:/sbin/nologin", + posix_name, uid, gid, sid.string (sidstr)); else __small_swprintf (linebuf, L"%W:*:%u:%u:%W%WU-%W\\%W,%W:%W%W:%W", posix_name, uid, gid,