From 5c6a0f3117811cf11b98b471503e02fdc37f96f2 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Mon, 17 Nov 2014 10:09:01 +0000 Subject: [PATCH] * uinfo.cc (pwdgrp::fetch_account_from_windows): Allow fetching of NT SERVICE accounts by name. Always prepend domain to NT SERVICE accounts. Add U-domain\username string to pw_gecos for predefined builtin accounts as well. --- winsup/cygwin/ChangeLog | 7 +++++++ winsup/cygwin/uinfo.cc | 24 ++++++++++++++++++++---- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index c4be0562a..c8419f46c 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,10 @@ +2014-11-17 Corinna Vinschen + + * uinfo.cc (pwdgrp::fetch_account_from_windows): Allow fetching of + NT SERVICE accounts by name. Always prepend domain to NT SERVICE + accounts. Add U-domain\username string to pw_gecos for predefined + builtin accounts as well. + 2014-11-14 Corinna Vinschen * fhandler_termios.cc (fhandler_termios::line_edit): Fix fatal typo in diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc index dc76ae92f..6b7ad550c 100644 --- a/winsup/cygwin/uinfo.cc +++ b/winsup/cygwin/uinfo.cc @@ -1294,6 +1294,19 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen, &acc_type); } + /* LookupAccountName doesn't find NT SERVICE accounts. Try just for + kicks (and to make TrustedInstaller work here :-P */ + else if (!ret) + { + p = wcpcpy (name, L"NT SERVICE"); + *p = L'\\'; + sys_mbstowcs (p + 1, UNLEN + 1, arg.name); + slen = SECURITY_MAX_SID_SIZE; + dlen = DNLEN + 1; + sid = csid; + ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen, + &acc_type); + } if (!ret) { debug_printf ("LookupAccountNameW (%W), %E", name); @@ -1785,8 +1798,11 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) break; case SidTypeWellKnownGroup: fully_qualified_name = (cygheap->pg.nss_prefix_always () - /* Microsoft Account */ - || sid_id_auth (sid) == 11); + /* NT SERVICE Account */ + || (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */ + && sid_sub_auth (sid, 0) == SECURITY_SERVICE_ID_BASE_RID) + /* Microsoft Account */ + || sid_id_auth (sid) == 11); #ifdef INTERIX_COMPATIBLE if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */ && sid_sub_auth_count (sid) > 1) @@ -1937,8 +1953,8 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) logon. Unless it's the SYSTEM account. This conveniently allows to logon interactively as SYSTEM for debugging purposes. */ else if (acc_type != SidTypeUser && sid != well_known_system_sid) - __small_swprintf (linebuf, L"%W:*:%u:%u:,%W:/:/sbin/nologin", - posix_name, uid, gid, sid.string (sidstr)); + __small_swprintf (linebuf, L"%W:*:%u:%u:U-%W\\%W,%W:/:/sbin/nologin", + posix_name, uid, gid, dom, name, sid.string (sidstr)); else __small_swprintf (linebuf, L"%W:*:%u:%u:%W%WU-%W\\%W,%W:%W%W:%W", posix_name, uid, gid,