* security.cc (is_group_member): Use local group info type 1. Test
group for being a global group or a well-known SID before adding it to the group list. Add comment.
This commit is contained in:
parent
1f602210ea
commit
49e803c0b6
@ -1,3 +1,17 @@
|
|||||||
|
2006-02-02 Corinna Vinschen <corinna@vinschen.de>
|
||||||
|
|
||||||
|
* security.cc (is_group_member): Use local group info type 1. Test
|
||||||
|
group for being a global group or a well-known SID before adding it
|
||||||
|
to the group list. Add comment.
|
||||||
|
|
||||||
|
2006-02-01 Corinna Vinschen <corinna@vinschen.de>
|
||||||
|
|
||||||
|
* autoload.cc (GetTcpTable): Define.
|
||||||
|
* fhandler_socket.cc (address_in_use): New function to check if
|
||||||
|
sockaddr_in address is already in use.
|
||||||
|
(fhandler_socket::bind): Check if address is alreay in use in case of
|
||||||
|
SO_REUSEADDR, to circumvent WinSock non-standard behaviour.
|
||||||
|
|
||||||
2006-02-01 Corinna Vinschen <corinna@vinschen.de>
|
2006-02-01 Corinna Vinschen <corinna@vinschen.de>
|
||||||
|
|
||||||
* spawn.cc (dll_suffixes): Add .exe and "no suffix" to the list.
|
* spawn.cc (dll_suffixes): Add .exe and "no suffix" to the list.
|
||||||
|
@ -367,24 +367,38 @@ get_user_groups (WCHAR *wlogonserver, cygsidlist &grp_list, char *user,
|
|||||||
static bool
|
static bool
|
||||||
is_group_member (WCHAR *wgroup, PSID pusersid, cygsidlist &grp_list)
|
is_group_member (WCHAR *wgroup, PSID pusersid, cygsidlist &grp_list)
|
||||||
{
|
{
|
||||||
LPLOCALGROUP_MEMBERS_INFO_0 buf;
|
LPLOCALGROUP_MEMBERS_INFO_1 buf;
|
||||||
DWORD cnt, tot;
|
DWORD cnt, tot;
|
||||||
NET_API_STATUS ret;
|
NET_API_STATUS ret;
|
||||||
|
|
||||||
/* Members can be users or global groups */
|
/* Members can be users or global groups */
|
||||||
ret = NetLocalGroupGetMembers (NULL, wgroup, 0, (LPBYTE *) &buf,
|
ret = NetLocalGroupGetMembers (NULL, wgroup, 1, (LPBYTE *) &buf,
|
||||||
MAX_PREFERRED_LENGTH, &cnt, &tot, NULL);
|
MAX_PREFERRED_LENGTH, &cnt, &tot, NULL);
|
||||||
if (ret)
|
if (ret)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
bool retval = true;
|
bool retval = true;
|
||||||
for (DWORD bidx = 0; bidx < cnt; ++bidx)
|
for (DWORD bidx = 0; bidx < cnt; ++bidx)
|
||||||
if (EqualSid (pusersid, buf[bidx].lgrmi0_sid))
|
if (EqualSid (pusersid, buf[bidx].lgrmi1_sid))
|
||||||
goto done;
|
goto done;
|
||||||
else
|
else
|
||||||
for (int glidx = 0; glidx < grp_list.count; ++glidx)
|
{
|
||||||
if (EqualSid (grp_list.sids[glidx], buf[bidx].lgrmi0_sid))
|
/* The extra test for the group being a global group or a well-known
|
||||||
goto done;
|
group is necessary, since apparently also aliases (for instance
|
||||||
|
Administrators or Users) can be members of local groups, even
|
||||||
|
though MSDN states otherwise. The GUI refuses to put aliases into
|
||||||
|
local groups, but the CLI interface allows it. However, a normal
|
||||||
|
logon token does not contain those 2nd order aliases, so we also
|
||||||
|
should not put them into the token group list.
|
||||||
|
Note: Allowing those 2nd order aliases in our group list renders
|
||||||
|
external tokens invalid, so that it becomes impossible to logon
|
||||||
|
with password and valid logon token. */
|
||||||
|
for (int glidx = 0; glidx < grp_list.count; ++glidx)
|
||||||
|
if ((buf[bidx].lgrmi1_sidusage == SidTypeGroup
|
||||||
|
|| buf[bidx].lgrmi1_sidusage == SidTypeWellKnownGroup)
|
||||||
|
&& EqualSid (grp_list.sids[glidx], buf[bidx].lgrmi1_sid))
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
retval = false;
|
retval = false;
|
||||||
done:
|
done:
|
||||||
|
Loading…
Reference in New Issue
Block a user