* uinfo.cc (pwdgrp::fetch_account_from_windows): Drop "plus_prepended"

as naming style.  Drop enum name_style_t, use a boolean
	"fully_qualified_name" value instead.  Rework function to drop
	"plus_prepended" handling througout and default to "name only" style
	as replacement.
This commit is contained in:
Corinna Vinschen 2014-08-04 15:50:42 +00:00
parent c0a211cc3e
commit 64665f459e
2 changed files with 74 additions and 64 deletions

View File

@ -1,3 +1,11 @@
2014-08-04 Corinna Vinschen <corinna@vinschen.de>
* uinfo.cc (pwdgrp::fetch_account_from_windows): Drop "plus_prepended"
as naming style. Drop enum name_style_t, use a boolean
"fully_qualified_name" value instead. Rework function to drop
"plus_prepended" handling througout and default to "name only" style
as replacement.
2014-07-31 Eric Blake <eblake@redhat.com> 2014-07-31 Eric Blake <eblake@redhat.com>
* include/pthread.h: Decorate attribute names with __, for * include/pthread.h: Decorate attribute names with __, for

View File

@ -1199,11 +1199,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
SID_NAME_USE acc_type; SID_NAME_USE acc_type;
BOOL ret = false; BOOL ret = false;
/* Cygwin user name style. */ /* Cygwin user name style. */
enum name_style_t { bool fully_qualified_name = false;
name_only,
plus_prepended,
fully_qualified
} name_style = name_only;
/* Computed stuff. */ /* Computed stuff. */
uid_t uid = ILLEGAL_UID; uid_t uid = ILLEGAL_UID;
gid_t gid = ILLEGAL_GID; gid_t gid = ILLEGAL_GID;
@ -1261,46 +1257,52 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
standalone machine, or the username must be from the primary domain. standalone machine, or the username must be from the primary domain.
In the latter case, prepend the primary domain name so as not to In the latter case, prepend the primary domain name so as not to
collide with an account from the account domain with the same name. */ collide with an account from the account domain with the same name. */
name_style_t nstyle; bool fq_name;
nstyle = name_only; fq_name = false;
p = name; /* Copy over to wchar for search. */
if (*arg.name == cygheap->pg.nss_separator ()[0]) sys_mbstowcs (name, UNLEN + 1, arg.name);
nstyle = plus_prepended;
else if (strchr (arg.name, cygheap->pg.nss_separator ()[0]))
nstyle = fully_qualified;
else if (cygheap->dom.member_machine ())
p = wcpcpy (wcpcpy (p, cygheap->dom.primary_flat_name ()),
cygheap->pg.nss_separator ());
/* Now fill up with name to search. */
sys_mbstowcs (p, UNLEN + 1,
arg.name + (nstyle == plus_prepended ? 1 : 0));
/* Replace domain separator char with backslash and make sure p is NULL /* Replace domain separator char with backslash and make sure p is NULL
or points to the backslash, so... */ or points to the backslash, so... */
if ((p = wcschr (name, cygheap->pg.nss_separator ()[0]))) if ((p = wcschr (name, cygheap->pg.nss_separator ()[0])))
*p = L'\\'; {
fq_name = true;
*p = L'\\';
}
sid = csid; sid = csid;
ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen, &acc_type); ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen, &acc_type);
/* If this is a name-only S-1-5-21 account *and* it's a machine account
on a domain member machine, then we found the wrong one. Another
weird, but perfectly valid case is, if the group name is identical
to the domain name. Try again with domain name prepended. */
if (ret
&& !fq_name
&& sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
&& sid_sub_auth (sid, 0) == SECURITY_NT_NON_UNIQUE
&& cygheap->dom.member_machine ()
&& (wcscasecmp (dom, cygheap->dom.account_flat_name ()) == 0
|| acc_type == SidTypeDomain))
{
p = wcpcpy (name, cygheap->dom.primary_flat_name ());
*p = L'\\';
sys_mbstowcs (p + 1, UNLEN + 1, arg.name);
slen = SECURITY_MAX_SID_SIZE;
dlen = DNLEN + 1;
sid = csid;
ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen,
&acc_type);
}
if (!ret) if (!ret)
{ {
debug_printf ("LookupAccountNameW (%W), %E", name); debug_printf ("LookupAccountNameW (%W), %E", name);
return NULL; return NULL;
} }
/* ... we can skip the backslash in the rest of this function. */ /* We can skip the backslash in the rest of this function. */
if (p) if (p)
name = p + 1; name = p + 1;
/* Last but not least, some validity checks on the name style. */ /* Last but not least, some validity checks on the name style. */
switch (nstyle) if (!fq_name)
{ {
case name_only:
/* name_only account must start with S-1-5-21 */
if (sid_id_auth (sid) != 5 /* SECURITY_NT_AUTHORITY */
|| sid_sub_auth (sid, 0) != SECURITY_NT_NON_UNIQUE)
{
debug_printf ("Invalid account name <%s> (name only/"
"not NON_UNIQUE)", arg.name);
return NULL;
}
/* name_only only if db_prefix is auto. */ /* name_only only if db_prefix is auto. */
if (!cygheap->pg.nss_prefix_auto ()) if (!cygheap->pg.nss_prefix_auto ())
{ {
@ -1308,25 +1310,30 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
"db_prefix not auto)", arg.name); "db_prefix not auto)", arg.name);
return NULL; return NULL;
} }
break; /* name_only account is either builtin or primary domain, or
case plus_prepended: account domain on non-domain machines. */
/* plus_prepended account must not start with S-1-5-21. */
if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */ if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
&& sid_sub_auth (sid, 0) == SECURITY_NT_NON_UNIQUE) && sid_sub_auth (sid, 0) == SECURITY_NT_NON_UNIQUE)
{ {
debug_printf ("Invalid account name <%s> (plus prependend/" if (cygheap->dom.member_machine ())
"NON_UNIQUE)", arg.name); {
return NULL; if (wcscasecmp (dom, cygheap->dom.primary_flat_name ()) != 0)
{
debug_printf ("Invalid account name <%s> (name only/"
"non primary on domain machine)", arg.name);
return NULL;
}
}
else if (wcscasecmp (dom, cygheap->dom.account_flat_name ()) != 0)
{
debug_printf ("Invalid account name <%s> (name only/"
"non machine on non-domain machine)", arg.name);
return NULL;
}
} }
/* plus_prepended only if db_prefix is not always. */ }
if (cygheap->pg.nss_prefix_always ()) else
{ {
debug_printf ("Invalid account name <%s> (plus prependend/"
"db_prefix not always)", arg.name);
return NULL;
}
break;
case fully_qualified:
/* All is well if db_prefix is always. */ /* All is well if db_prefix is always. */
if (cygheap->pg.nss_prefix_always ()) if (cygheap->pg.nss_prefix_always ())
break; break;
@ -1358,7 +1365,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
"local account)", arg.name); "local account)", arg.name);
return NULL; return NULL;
} }
break;
} }
break; break;
case ID_arg: case ID_arg:
@ -1509,8 +1515,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
#else #else
posix_offset = 0; posix_offset = 0;
#endif #endif
name_style = (cygheap->pg.nss_prefix_always ()) ? fully_qualified fully_qualified_name = cygheap->pg.nss_prefix_always ();
: plus_prepended;
is_domain_account = false; is_domain_account = false;
} }
/* Account domain account? */ /* Account domain account? */
@ -1519,7 +1524,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
posix_offset = 0x30000; posix_offset = 0x30000;
if (cygheap->dom.member_machine () if (cygheap->dom.member_machine ()
|| !cygheap->pg.nss_prefix_auto ()) || !cygheap->pg.nss_prefix_auto ())
name_style = fully_qualified; fully_qualified_name = true;
is_domain_account = false; is_domain_account = false;
} }
/* Domain member machine? */ /* Domain member machine? */
@ -1538,14 +1543,14 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
also changed subsequent assumptions that domain is NULL also changed subsequent assumptions that domain is NULL
if it's a primary domain account. */ if it's a primary domain account. */
if (!cygheap->pg.nss_prefix_auto ()) if (!cygheap->pg.nss_prefix_auto ())
name_style = fully_qualified; fully_qualified_name = true;
} }
else else
{ {
/* No, fetch POSIX offset. */ /* No, fetch POSIX offset. */
PDS_DOMAIN_TRUSTSW td = NULL; PDS_DOMAIN_TRUSTSW td = NULL;
name_style = fully_qualified; fully_qualified_name = true;
for (ULONG idx = 0; for (ULONG idx = 0;
(td = cygheap->dom.trusted_domain (idx)); (td = cygheap->dom.trusted_domain (idx));
++idx) ++idx)
@ -1758,16 +1763,16 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
} }
break; break;
case SidTypeWellKnownGroup: case SidTypeWellKnownGroup:
name_style = (cygheap->pg.nss_prefix_always () fully_qualified_name = (cygheap->pg.nss_prefix_always ()
|| sid_id_auth (sid) == 11) /* Microsoft Account */ /* Microsoft Account */
? fully_qualified : plus_prepended; || sid_id_auth (sid) == 11);
#ifdef INTERIX_COMPATIBLE #ifdef INTERIX_COMPATIBLE
if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */ if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
&& sid_sub_auth_count (sid) > 1) && sid_sub_auth_count (sid) > 1)
{ {
uid = 0x1000 * sid_sub_auth (sid, 0) uid = 0x1000 * sid_sub_auth (sid, 0)
+ (sid_sub_auth_rid (sid) & 0xffff); + (sid_sub_auth_rid (sid) & 0xffff);
name_style = fully_qualified; fully_qualified_name = true;
} }
else else
uid = 0x10000 + 0x100 * sid_id_auth (sid) uid = 0x10000 + 0x100 * sid_id_auth (sid)
@ -1792,8 +1797,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
break; break;
case SidTypeLabel: case SidTypeLabel:
uid = 0x60000 + sid_sub_auth_rid (sid); uid = 0x60000 + sid_sub_auth_rid (sid);
name_style = (cygheap->pg.nss_prefix_always ()) ? fully_qualified fully_qualified_name = cygheap->pg.nss_prefix_always ();
: plus_prepended;
break; break;
default: default:
return NULL; return NULL;
@ -1828,7 +1832,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
wcpcpy (name = namebuf, sid_sub_auth_rid (sid) == 1 wcpcpy (name = namebuf, sid_sub_auth_rid (sid) == 1
? (PWCHAR) L"Authentication authority asserted identity" ? (PWCHAR) L"Authentication authority asserted identity"
: (PWCHAR) L"Service asserted identity"); : (PWCHAR) L"Service asserted identity");
name_style = plus_prepended; fully_qualified_name = false;
acc_type = SidTypeUnknown; acc_type = SidTypeUnknown;
} }
else if (sid_id_auth (sid) == 22) else if (sid_id_auth (sid) == 22)
@ -1843,7 +1847,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
p = wcpcpy (dom, L"Unix_"); p = wcpcpy (dom, L"Unix_");
wcpcpy (p, sid_sub_auth (sid, 0) == 1 ? L"User" : L"Group"); wcpcpy (p, sid_sub_auth (sid, 0) == 1 ? L"User" : L"Group");
__small_swprintf (name = namebuf, L"%d", uid & UNIX_POSIX_MASK); __small_swprintf (name = namebuf, L"%d", uid & UNIX_POSIX_MASK);
name_style = fully_qualified; fully_qualified_name = true;
acc_type = SidTypeUnknown; acc_type = SidTypeUnknown;
} }
else else
@ -1885,7 +1889,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
wcpcpy (dom, L"Unknown"); wcpcpy (dom, L"Unknown");
wcpcpy (name = namebuf, is_group () ? L"Group" : L"User"); wcpcpy (name = namebuf, is_group () ? L"Group" : L"User");
} }
name_style = fully_qualified; fully_qualified_name = true;
acc_type = SidTypeUnknown; acc_type = SidTypeUnknown;
} }
@ -1897,10 +1901,8 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
p = posix_name; p = posix_name;
if (gid == ILLEGAL_GID) if (gid == ILLEGAL_GID)
gid = uid; gid = uid;
if (name_style >= fully_qualified) if (fully_qualified_name)
p = wcpcpy (p, dom); p = wcpcpy (wcpcpy (p, dom), cygheap->pg.nss_separator ());
if (name_style >= plus_prepended)
p = wcpcpy (p, cygheap->pg.nss_separator ());
wcpcpy (p, name); wcpcpy (p, name);
if (is_group ()) if (is_group ())