* uinfo.cc (pwdgrp::fetch_account_from_windows): Drop "plus_prepended"
as naming style. Drop enum name_style_t, use a boolean "fully_qualified_name" value instead. Rework function to drop "plus_prepended" handling througout and default to "name only" style as replacement.
This commit is contained in:
parent
c0a211cc3e
commit
64665f459e
@ -1,3 +1,11 @@
|
|||||||
|
2014-08-04 Corinna Vinschen <corinna@vinschen.de>
|
||||||
|
|
||||||
|
* uinfo.cc (pwdgrp::fetch_account_from_windows): Drop "plus_prepended"
|
||||||
|
as naming style. Drop enum name_style_t, use a boolean
|
||||||
|
"fully_qualified_name" value instead. Rework function to drop
|
||||||
|
"plus_prepended" handling througout and default to "name only" style
|
||||||
|
as replacement.
|
||||||
|
|
||||||
2014-07-31 Eric Blake <eblake@redhat.com>
|
2014-07-31 Eric Blake <eblake@redhat.com>
|
||||||
|
|
||||||
* include/pthread.h: Decorate attribute names with __, for
|
* include/pthread.h: Decorate attribute names with __, for
|
||||||
|
@ -1199,11 +1199,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
SID_NAME_USE acc_type;
|
SID_NAME_USE acc_type;
|
||||||
BOOL ret = false;
|
BOOL ret = false;
|
||||||
/* Cygwin user name style. */
|
/* Cygwin user name style. */
|
||||||
enum name_style_t {
|
bool fully_qualified_name = false;
|
||||||
name_only,
|
|
||||||
plus_prepended,
|
|
||||||
fully_qualified
|
|
||||||
} name_style = name_only;
|
|
||||||
/* Computed stuff. */
|
/* Computed stuff. */
|
||||||
uid_t uid = ILLEGAL_UID;
|
uid_t uid = ILLEGAL_UID;
|
||||||
gid_t gid = ILLEGAL_GID;
|
gid_t gid = ILLEGAL_GID;
|
||||||
@ -1261,46 +1257,52 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
standalone machine, or the username must be from the primary domain.
|
standalone machine, or the username must be from the primary domain.
|
||||||
In the latter case, prepend the primary domain name so as not to
|
In the latter case, prepend the primary domain name so as not to
|
||||||
collide with an account from the account domain with the same name. */
|
collide with an account from the account domain with the same name. */
|
||||||
name_style_t nstyle;
|
bool fq_name;
|
||||||
|
|
||||||
nstyle = name_only;
|
fq_name = false;
|
||||||
p = name;
|
/* Copy over to wchar for search. */
|
||||||
if (*arg.name == cygheap->pg.nss_separator ()[0])
|
sys_mbstowcs (name, UNLEN + 1, arg.name);
|
||||||
nstyle = plus_prepended;
|
|
||||||
else if (strchr (arg.name, cygheap->pg.nss_separator ()[0]))
|
|
||||||
nstyle = fully_qualified;
|
|
||||||
else if (cygheap->dom.member_machine ())
|
|
||||||
p = wcpcpy (wcpcpy (p, cygheap->dom.primary_flat_name ()),
|
|
||||||
cygheap->pg.nss_separator ());
|
|
||||||
/* Now fill up with name to search. */
|
|
||||||
sys_mbstowcs (p, UNLEN + 1,
|
|
||||||
arg.name + (nstyle == plus_prepended ? 1 : 0));
|
|
||||||
/* Replace domain separator char with backslash and make sure p is NULL
|
/* Replace domain separator char with backslash and make sure p is NULL
|
||||||
or points to the backslash, so... */
|
or points to the backslash, so... */
|
||||||
if ((p = wcschr (name, cygheap->pg.nss_separator ()[0])))
|
if ((p = wcschr (name, cygheap->pg.nss_separator ()[0])))
|
||||||
*p = L'\\';
|
{
|
||||||
|
fq_name = true;
|
||||||
|
*p = L'\\';
|
||||||
|
}
|
||||||
sid = csid;
|
sid = csid;
|
||||||
ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen, &acc_type);
|
ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen, &acc_type);
|
||||||
|
/* If this is a name-only S-1-5-21 account *and* it's a machine account
|
||||||
|
on a domain member machine, then we found the wrong one. Another
|
||||||
|
weird, but perfectly valid case is, if the group name is identical
|
||||||
|
to the domain name. Try again with domain name prepended. */
|
||||||
|
if (ret
|
||||||
|
&& !fq_name
|
||||||
|
&& sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
|
||||||
|
&& sid_sub_auth (sid, 0) == SECURITY_NT_NON_UNIQUE
|
||||||
|
&& cygheap->dom.member_machine ()
|
||||||
|
&& (wcscasecmp (dom, cygheap->dom.account_flat_name ()) == 0
|
||||||
|
|| acc_type == SidTypeDomain))
|
||||||
|
{
|
||||||
|
p = wcpcpy (name, cygheap->dom.primary_flat_name ());
|
||||||
|
*p = L'\\';
|
||||||
|
sys_mbstowcs (p + 1, UNLEN + 1, arg.name);
|
||||||
|
slen = SECURITY_MAX_SID_SIZE;
|
||||||
|
dlen = DNLEN + 1;
|
||||||
|
sid = csid;
|
||||||
|
ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen,
|
||||||
|
&acc_type);
|
||||||
|
}
|
||||||
if (!ret)
|
if (!ret)
|
||||||
{
|
{
|
||||||
debug_printf ("LookupAccountNameW (%W), %E", name);
|
debug_printf ("LookupAccountNameW (%W), %E", name);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
/* ... we can skip the backslash in the rest of this function. */
|
/* We can skip the backslash in the rest of this function. */
|
||||||
if (p)
|
if (p)
|
||||||
name = p + 1;
|
name = p + 1;
|
||||||
/* Last but not least, some validity checks on the name style. */
|
/* Last but not least, some validity checks on the name style. */
|
||||||
switch (nstyle)
|
if (!fq_name)
|
||||||
{
|
{
|
||||||
case name_only:
|
|
||||||
/* name_only account must start with S-1-5-21 */
|
|
||||||
if (sid_id_auth (sid) != 5 /* SECURITY_NT_AUTHORITY */
|
|
||||||
|| sid_sub_auth (sid, 0) != SECURITY_NT_NON_UNIQUE)
|
|
||||||
{
|
|
||||||
debug_printf ("Invalid account name <%s> (name only/"
|
|
||||||
"not NON_UNIQUE)", arg.name);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
/* name_only only if db_prefix is auto. */
|
/* name_only only if db_prefix is auto. */
|
||||||
if (!cygheap->pg.nss_prefix_auto ())
|
if (!cygheap->pg.nss_prefix_auto ())
|
||||||
{
|
{
|
||||||
@ -1308,25 +1310,30 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
"db_prefix not auto)", arg.name);
|
"db_prefix not auto)", arg.name);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
break;
|
/* name_only account is either builtin or primary domain, or
|
||||||
case plus_prepended:
|
account domain on non-domain machines. */
|
||||||
/* plus_prepended account must not start with S-1-5-21. */
|
|
||||||
if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
|
if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
|
||||||
&& sid_sub_auth (sid, 0) == SECURITY_NT_NON_UNIQUE)
|
&& sid_sub_auth (sid, 0) == SECURITY_NT_NON_UNIQUE)
|
||||||
{
|
{
|
||||||
debug_printf ("Invalid account name <%s> (plus prependend/"
|
if (cygheap->dom.member_machine ())
|
||||||
"NON_UNIQUE)", arg.name);
|
{
|
||||||
return NULL;
|
if (wcscasecmp (dom, cygheap->dom.primary_flat_name ()) != 0)
|
||||||
|
{
|
||||||
|
debug_printf ("Invalid account name <%s> (name only/"
|
||||||
|
"non primary on domain machine)", arg.name);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if (wcscasecmp (dom, cygheap->dom.account_flat_name ()) != 0)
|
||||||
|
{
|
||||||
|
debug_printf ("Invalid account name <%s> (name only/"
|
||||||
|
"non machine on non-domain machine)", arg.name);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
/* plus_prepended only if db_prefix is not always. */
|
}
|
||||||
if (cygheap->pg.nss_prefix_always ())
|
else
|
||||||
{
|
{
|
||||||
debug_printf ("Invalid account name <%s> (plus prependend/"
|
|
||||||
"db_prefix not always)", arg.name);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case fully_qualified:
|
|
||||||
/* All is well if db_prefix is always. */
|
/* All is well if db_prefix is always. */
|
||||||
if (cygheap->pg.nss_prefix_always ())
|
if (cygheap->pg.nss_prefix_always ())
|
||||||
break;
|
break;
|
||||||
@ -1358,7 +1365,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
"local account)", arg.name);
|
"local account)", arg.name);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case ID_arg:
|
case ID_arg:
|
||||||
@ -1509,8 +1515,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
#else
|
#else
|
||||||
posix_offset = 0;
|
posix_offset = 0;
|
||||||
#endif
|
#endif
|
||||||
name_style = (cygheap->pg.nss_prefix_always ()) ? fully_qualified
|
fully_qualified_name = cygheap->pg.nss_prefix_always ();
|
||||||
: plus_prepended;
|
|
||||||
is_domain_account = false;
|
is_domain_account = false;
|
||||||
}
|
}
|
||||||
/* Account domain account? */
|
/* Account domain account? */
|
||||||
@ -1519,7 +1524,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
posix_offset = 0x30000;
|
posix_offset = 0x30000;
|
||||||
if (cygheap->dom.member_machine ()
|
if (cygheap->dom.member_machine ()
|
||||||
|| !cygheap->pg.nss_prefix_auto ())
|
|| !cygheap->pg.nss_prefix_auto ())
|
||||||
name_style = fully_qualified;
|
fully_qualified_name = true;
|
||||||
is_domain_account = false;
|
is_domain_account = false;
|
||||||
}
|
}
|
||||||
/* Domain member machine? */
|
/* Domain member machine? */
|
||||||
@ -1538,14 +1543,14 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
also changed subsequent assumptions that domain is NULL
|
also changed subsequent assumptions that domain is NULL
|
||||||
if it's a primary domain account. */
|
if it's a primary domain account. */
|
||||||
if (!cygheap->pg.nss_prefix_auto ())
|
if (!cygheap->pg.nss_prefix_auto ())
|
||||||
name_style = fully_qualified;
|
fully_qualified_name = true;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
/* No, fetch POSIX offset. */
|
/* No, fetch POSIX offset. */
|
||||||
PDS_DOMAIN_TRUSTSW td = NULL;
|
PDS_DOMAIN_TRUSTSW td = NULL;
|
||||||
|
|
||||||
name_style = fully_qualified;
|
fully_qualified_name = true;
|
||||||
for (ULONG idx = 0;
|
for (ULONG idx = 0;
|
||||||
(td = cygheap->dom.trusted_domain (idx));
|
(td = cygheap->dom.trusted_domain (idx));
|
||||||
++idx)
|
++idx)
|
||||||
@ -1758,16 +1763,16 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case SidTypeWellKnownGroup:
|
case SidTypeWellKnownGroup:
|
||||||
name_style = (cygheap->pg.nss_prefix_always ()
|
fully_qualified_name = (cygheap->pg.nss_prefix_always ()
|
||||||
|| sid_id_auth (sid) == 11) /* Microsoft Account */
|
/* Microsoft Account */
|
||||||
? fully_qualified : plus_prepended;
|
|| sid_id_auth (sid) == 11);
|
||||||
#ifdef INTERIX_COMPATIBLE
|
#ifdef INTERIX_COMPATIBLE
|
||||||
if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
|
if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
|
||||||
&& sid_sub_auth_count (sid) > 1)
|
&& sid_sub_auth_count (sid) > 1)
|
||||||
{
|
{
|
||||||
uid = 0x1000 * sid_sub_auth (sid, 0)
|
uid = 0x1000 * sid_sub_auth (sid, 0)
|
||||||
+ (sid_sub_auth_rid (sid) & 0xffff);
|
+ (sid_sub_auth_rid (sid) & 0xffff);
|
||||||
name_style = fully_qualified;
|
fully_qualified_name = true;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
uid = 0x10000 + 0x100 * sid_id_auth (sid)
|
uid = 0x10000 + 0x100 * sid_id_auth (sid)
|
||||||
@ -1792,8 +1797,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
break;
|
break;
|
||||||
case SidTypeLabel:
|
case SidTypeLabel:
|
||||||
uid = 0x60000 + sid_sub_auth_rid (sid);
|
uid = 0x60000 + sid_sub_auth_rid (sid);
|
||||||
name_style = (cygheap->pg.nss_prefix_always ()) ? fully_qualified
|
fully_qualified_name = cygheap->pg.nss_prefix_always ();
|
||||||
: plus_prepended;
|
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -1828,7 +1832,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
wcpcpy (name = namebuf, sid_sub_auth_rid (sid) == 1
|
wcpcpy (name = namebuf, sid_sub_auth_rid (sid) == 1
|
||||||
? (PWCHAR) L"Authentication authority asserted identity"
|
? (PWCHAR) L"Authentication authority asserted identity"
|
||||||
: (PWCHAR) L"Service asserted identity");
|
: (PWCHAR) L"Service asserted identity");
|
||||||
name_style = plus_prepended;
|
fully_qualified_name = false;
|
||||||
acc_type = SidTypeUnknown;
|
acc_type = SidTypeUnknown;
|
||||||
}
|
}
|
||||||
else if (sid_id_auth (sid) == 22)
|
else if (sid_id_auth (sid) == 22)
|
||||||
@ -1843,7 +1847,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
p = wcpcpy (dom, L"Unix_");
|
p = wcpcpy (dom, L"Unix_");
|
||||||
wcpcpy (p, sid_sub_auth (sid, 0) == 1 ? L"User" : L"Group");
|
wcpcpy (p, sid_sub_auth (sid, 0) == 1 ? L"User" : L"Group");
|
||||||
__small_swprintf (name = namebuf, L"%d", uid & UNIX_POSIX_MASK);
|
__small_swprintf (name = namebuf, L"%d", uid & UNIX_POSIX_MASK);
|
||||||
name_style = fully_qualified;
|
fully_qualified_name = true;
|
||||||
acc_type = SidTypeUnknown;
|
acc_type = SidTypeUnknown;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
@ -1885,7 +1889,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
wcpcpy (dom, L"Unknown");
|
wcpcpy (dom, L"Unknown");
|
||||||
wcpcpy (name = namebuf, is_group () ? L"Group" : L"User");
|
wcpcpy (name = namebuf, is_group () ? L"Group" : L"User");
|
||||||
}
|
}
|
||||||
name_style = fully_qualified;
|
fully_qualified_name = true;
|
||||||
acc_type = SidTypeUnknown;
|
acc_type = SidTypeUnknown;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1897,10 +1901,8 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
|
|||||||
p = posix_name;
|
p = posix_name;
|
||||||
if (gid == ILLEGAL_GID)
|
if (gid == ILLEGAL_GID)
|
||||||
gid = uid;
|
gid = uid;
|
||||||
if (name_style >= fully_qualified)
|
if (fully_qualified_name)
|
||||||
p = wcpcpy (p, dom);
|
p = wcpcpy (wcpcpy (p, dom), cygheap->pg.nss_separator ());
|
||||||
if (name_style >= plus_prepended)
|
|
||||||
p = wcpcpy (p, cygheap->pg.nss_separator ());
|
|
||||||
wcpcpy (p, name);
|
wcpcpy (p, name);
|
||||||
|
|
||||||
if (is_group ())
|
if (is_group ())
|
||||||
|
Loading…
x
Reference in New Issue
Block a user