* security.cc (is_group_member): Use local group info type 1. Test
group for being a global group or a well-known SID before adding it to the group list. Add comment.
This commit is contained in:
parent
1f602210ea
commit
49e803c0b6
@ -1,3 +1,17 @@
|
||||
2006-02-02 Corinna Vinschen <corinna@vinschen.de>
|
||||
|
||||
* security.cc (is_group_member): Use local group info type 1. Test
|
||||
group for being a global group or a well-known SID before adding it
|
||||
to the group list. Add comment.
|
||||
|
||||
2006-02-01 Corinna Vinschen <corinna@vinschen.de>
|
||||
|
||||
* autoload.cc (GetTcpTable): Define.
|
||||
* fhandler_socket.cc (address_in_use): New function to check if
|
||||
sockaddr_in address is already in use.
|
||||
(fhandler_socket::bind): Check if address is alreay in use in case of
|
||||
SO_REUSEADDR, to circumvent WinSock non-standard behaviour.
|
||||
|
||||
2006-02-01 Corinna Vinschen <corinna@vinschen.de>
|
||||
|
||||
* spawn.cc (dll_suffixes): Add .exe and "no suffix" to the list.
|
||||
|
@ -367,24 +367,38 @@ get_user_groups (WCHAR *wlogonserver, cygsidlist &grp_list, char *user,
|
||||
static bool
|
||||
is_group_member (WCHAR *wgroup, PSID pusersid, cygsidlist &grp_list)
|
||||
{
|
||||
LPLOCALGROUP_MEMBERS_INFO_0 buf;
|
||||
LPLOCALGROUP_MEMBERS_INFO_1 buf;
|
||||
DWORD cnt, tot;
|
||||
NET_API_STATUS ret;
|
||||
|
||||
/* Members can be users or global groups */
|
||||
ret = NetLocalGroupGetMembers (NULL, wgroup, 0, (LPBYTE *) &buf,
|
||||
ret = NetLocalGroupGetMembers (NULL, wgroup, 1, (LPBYTE *) &buf,
|
||||
MAX_PREFERRED_LENGTH, &cnt, &tot, NULL);
|
||||
if (ret)
|
||||
return false;
|
||||
|
||||
bool retval = true;
|
||||
for (DWORD bidx = 0; bidx < cnt; ++bidx)
|
||||
if (EqualSid (pusersid, buf[bidx].lgrmi0_sid))
|
||||
if (EqualSid (pusersid, buf[bidx].lgrmi1_sid))
|
||||
goto done;
|
||||
else
|
||||
for (int glidx = 0; glidx < grp_list.count; ++glidx)
|
||||
if (EqualSid (grp_list.sids[glidx], buf[bidx].lgrmi0_sid))
|
||||
goto done;
|
||||
{
|
||||
/* The extra test for the group being a global group or a well-known
|
||||
group is necessary, since apparently also aliases (for instance
|
||||
Administrators or Users) can be members of local groups, even
|
||||
though MSDN states otherwise. The GUI refuses to put aliases into
|
||||
local groups, but the CLI interface allows it. However, a normal
|
||||
logon token does not contain those 2nd order aliases, so we also
|
||||
should not put them into the token group list.
|
||||
Note: Allowing those 2nd order aliases in our group list renders
|
||||
external tokens invalid, so that it becomes impossible to logon
|
||||
with password and valid logon token. */
|
||||
for (int glidx = 0; glidx < grp_list.count; ++glidx)
|
||||
if ((buf[bidx].lgrmi1_sidusage == SidTypeGroup
|
||||
|| buf[bidx].lgrmi1_sidusage == SidTypeWellKnownGroup)
|
||||
&& EqualSid (grp_list.sids[glidx], buf[bidx].lgrmi1_sid))
|
||||
goto done;
|
||||
}
|
||||
|
||||
retval = false;
|
||||
done:
|
||||
|
Loading…
Reference in New Issue
Block a user