JehanneOS/newlib
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Don't call LsaLookupSids if we're not utilizing Windows account DBs

Browse Source 
* grp.cc (internal_getgrfull): Drop asking caches.  Explain why.
        (internal_getgroups): In case we're not utilizing the Windows account
        DBs, don't call LsaLookupSids but iterate over the group SIDs in the
        token and call internal_getgrsid for each of them.  Explain why.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
Corinna Vinschen
2015-08-17 22:45:02 +02:00
parent 88dce3abd8
commit 4cb24051f4
3 changed files with 42 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
winsup/cygwin/ChangeLog
View File

@@ -1,3 +1,10 @@
2015-08-17 Corinna Vinschen <corinna@vinschen.de>
* grp.cc (internal_getgrfull): Drop asking caches. Explain why.
(internal_getgroups): In case we're not utilizing the Windows account
DBs, don't call LsaLookupSids but iterate over the group SIDs in the
token and call internal_getgrsid for each of them. Explain why.
2015-08-17 Corinna Vinschen <corinna@vinschen.de> 2015-08-17 Corinna Vinschen <corinna@vinschen.de>
* fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Rearrange * fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Rearrange

49
winsup/cygwin/grp.cc
View File

@@ -152,17 +152,8 @@ internal_getgrfull (fetch_acc_t &full_acc, cyg_ldap *pldap)
struct group *ret; struct group *ret;
cygheap->pg.nss_init (); cygheap->pg.nss_init ();
/* Check caches first. */ /* Skip local caches, internal_getgroups already called
if (cygheap->pg.nss_cygserver_caching () internal_getgrsid_cachedonly. */
&& (ret = cygheap->pg.grp_cache.cygserver.find_group (full_acc.sid)))
return ret;
if (cygheap->pg.nss_grp_files ()
&& (ret = cygheap->pg.grp_cache.file.find_group (full_acc.sid)))
return ret;
if (cygheap->pg.nss_grp_db ()
&& (ret = cygheap->pg.grp_cache.win.find_group (full_acc.sid)))
return ret;
/* Ask sources afterwards. */
if (cygheap->pg.nss_cygserver_caching () if (cygheap->pg.nss_cygserver_caching ()
&& (ret = cygheap->pg.grp_cache.cygserver.add_group_from_cygserver && (ret = cygheap->pg.grp_cache.cygserver.add_group_from_cygserver
(full_acc.sid))) (full_acc.sid)))
@@ -598,7 +589,7 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
&size); &size);
if (!NT_SUCCESS (status)) if (!NT_SUCCESS (status))
{ {
system_printf ("token group list > 64K? status = %u", status); debug_printf ("NtQueryInformationToken(TokenGroups) %y", status);
goto out; goto out;
} }
/* Iterate over the group list and check which of them are already cached. /* Iterate over the group list and check which of them are already cached.
@@ -627,16 +618,40 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
else else
sidp_buf[scnt++] = sid; sidp_buf[scnt++] = sid;
} }
/* If there are non-cached groups left, call LsaLookupSids and call /* If there are non-cached groups left, try to fetch them. */
internal_getgrfull on the returned groups. This performs a lot
better than calling internal_getgrsid on each group. */
if (scnt > 0) if (scnt > 0)
{ {
/* Don't call LsaLookupSids if we're not utilizing the Windows account
DBs. If we don't have access to the AD, which is one good reason to
disable passwd/group: db in nsswitch.conf, then the subsequent call
to LsaLookupSids will take 5 - 10 seconds in some environments. */
if (!cygheap->pg.nss_grp_db ())
{
for (DWORD pg = 0; pg < scnt; ++pg)
{
cygpsid sid = sidp_buf[pg];
if ((grp = internal_getgrsid (sid, NULL)))
{
if (cnt < gidsetsize)
grouplist[cnt] = grp->gr_gid;
++cnt;
if (gidsetsize && cnt > gidsetsize)
{
cnt = -1;
break;
}
}
}
goto out;
}
/* Otherwise call LsaLookupSids and call internal_getgrfull on the
returned groups. This performs a lot better than calling
internal_getgrsid on each group. */
status = STATUS_ACCESS_DENIED; status = STATUS_ACCESS_DENIED;
HANDLE lsa = lsa_open_policy (NULL, POLICY_LOOKUP_NAMES); HANDLE lsa = lsa_open_policy (NULL, POLICY_LOOKUP_NAMES);
if (!lsa) if (!lsa)
{ {
system_printf ("POLICY_LOOKUP_NAMES not given?"); debug_printf ("POLICY_LOOKUP_NAMES right not given?");
goto out; goto out;
} }
status = LsaLookupSids (lsa, scnt, sidp_buf, &dlst, &nlst); status = LsaLookupSids (lsa, scnt, sidp_buf, &dlst, &nlst);
@@ -664,7 +679,7 @@ internal_getgroups (int gidsetsize, gid_t *grouplist, cyg_ldap *pldap)
if (gidsetsize && cnt > gidsetsize) if (gidsetsize && cnt > gidsetsize)
{ {
cnt = -1; cnt = -1;
goto out; break;
} }
} }
} }

5
winsup/cygwin/release/2.2.1
View File

@@ -11,8 +11,9 @@ Bug Fixes
modern CPUs and modern Windows OSes supporting more than 64 logical CPUs. modern CPUs and modern Windows OSes supporting more than 64 logical CPUs.
Addresses: https://cygwin.com/ml/cygwin/2015-06/msg00345.html Addresses: https://cygwin.com/ml/cygwin/2015-06/msg00345.html
- Don't try to perform RFC2307 owner/group mapping on Samba/NFS if account - Don't call LsaLookupSids to fetch group information and don't perform RFC2307
info is only fetched from local passwd/group files. owner/group mapping on Samba/NFS if account info is only fetched from local
passwd/group files.
Addresses: https://cygwin.com/ml/cygwin/2015-07/msg00270.html Addresses: https://cygwin.com/ml/cygwin/2015-07/msg00270.html
- Precautionally fix a potential data corruption problem in pipe I/O, only - Precautionally fix a potential data corruption problem in pipe I/O, only