Cygwin: get_user_groups: fetch a user's group list from identification token

NetUserGetGroups and NetUserGetLocalGroups sometimes take a lot of time (up to more than 2 mins) for no apparent reason. Call s4uauth to generate an identification token for the user and fetch the group list from there. This is *much* faster. Keep the old code only for the sake of WOW64 on Vista and Windows 7, which don't implement MsV1_0S4ULogon. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2019-02-22 18:31:03 +01:00 · 2019-02-22 18:31:03 +01:00 · 649911fb40
commit 649911fb40
parent 105fbdebdd
3 changed files with 66 additions and 27 deletions
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@ -535,7 +535,6 @@ get_server_groups (cygsidlist &grp_list, PSID usersid,
 {
  WCHAR user[UNLEN + 1];
  WCHAR domain[MAX_DOMAIN_NAME_LEN + 1];
  WCHAR server[INTERNET_MAX_HOST_NAME_LENGTH + 3];
  DWORD ulen = UNLEN + 1;
  DWORD dlen = MAX_DOMAIN_NAME_LEN + 1;
  SID_NAME_USE use;
@ -546,41 +545,73 @@ get_server_groups (cygsidlist &grp_list, PSID usersid,
      return true;
    }
  grp_list *= well_known_world_sid;
  grp_list *= well_known_authenticated_users_sid;
  if (!LookupAccountSidW (NULL, usersid, user, &ulen, domain, &dlen, &use))
    {
      __seterrno ();
      return false;
    }
  /* If the SID does NOT start with S-1-5-21, the domain is some builtin
-     domain.  The search for a logon server and fetching group accounts
+     domain.  We don't fetch a group list then. */
     is moot. */
  if (sid_id_auth (usersid) == 5 /* SECURITY_NT_AUTHORITY */
-      && sid_sub_auth (usersid, 0) == SECURITY_NT_NON_UNIQUE
+      && sid_sub_auth (usersid, 0) == SECURITY_NT_NON_UNIQUE)
      && get_logon_server (domain, server, DS_IS_FLAT_NAME))
    {
-      if (check_account_disabled == CHK_DISABLED)
+      if (wincap.no_msv1_0_s4u_logon_in_wow64 ())
 	{
-	  NET_API_STATUS napi_stat;
+	  WCHAR server[INTERNET_MAX_HOST_NAME_LENGTH + 3];
 	  USER_INFO_1 *ui1;
 	  bool allow_user = false;
-	  napi_stat = NetUserGetInfo (server, user, 1, (LPBYTE *) &ui1);
+	  if (!get_logon_server (domain, server, DS_IS_FLAT_NAME))
-	  if (napi_stat == NERR_Success)
+	    return false;
-	    allow_user = !(ui1->usri1_flags & (UF_ACCOUNTDISABLE | UF_LOCKOUT));
+	  if (check_account_disabled == CHK_DISABLED)
 	  if (ui1)
 	    NetApiBufferFree (ui1);
 	  if (!allow_user)
 	    {
-	      debug_printf ("User denied: %W\\%W", domain, user);
+	      NET_API_STATUS napi_stat;
-	      set_errno (EACCES);
+	      USER_INFO_1 *ui1;
-	      return false;
+	      bool allow_user = false;
 	      napi_stat = NetUserGetInfo (server, user, 1, (LPBYTE *) &ui1);
 	      if (napi_stat == NERR_Success)
 		allow_user = !(ui1->usri1_flags & (UF_ACCOUNTDISABLE | UF_LOCKOUT));
 	      if (ui1)
 		NetApiBufferFree (ui1);
 	      if (!allow_user)
 		{
 		  debug_printf ("User denied: %W\\%W", domain, user);
 		  set_errno (EACCES);
 		  return false;
 		}
 	    }
 	  grp_list *= well_known_world_sid;
 	  grp_list *= well_known_authenticated_users_sid;
 	  get_user_groups (server, grp_list, user, domain);
 	  get_user_local_groups (domain, grp_list, user);
 	  return true;
 	}
-      get_user_groups (server, grp_list, user, domain);
+
-      get_user_local_groups (domain, grp_list, user);
+      tmp_pathbuf tp;
      HANDLE token;
      NTSTATUS status;
      PTOKEN_GROUPS groups;
      ULONG size;
      token = s4uauth (false, domain, user, status);
      if (!token)
 	return false;
      groups = (PTOKEN_GROUPS) tp.w_get ();
      status = NtQueryInformationToken (token, TokenGroups, groups,
 					2 * NT_MAX_PATH, &size);
      if (NT_SUCCESS (status))
 	for (DWORD pg = 0; pg < groups->GroupCount; ++pg)
 	  {
 	    if (groups->Groups[pg].Attributes & SE_GROUP_USE_FOR_DENY_ONLY)
 	      continue;
 	    cygpsid grpsid = groups->Groups[pg].Sid;
 	    if (sid_id_auth (grpsid) == 5 /* SECURITY_NT_AUTHORITY */
 		&& sid_sub_auth (grpsid, 0) == SECURITY_NT_NON_UNIQUE)
 	      grp_list += grpsid;
 	    else
 	      grp_list *= grpsid;
 	  }
      NtClose (token);
    }
  return true;
 }
@ -589,8 +620,6 @@ static bool
 get_initgroups_sidlist (cygsidlist &grp_list, PSID usersid, PSID pgrpsid,
 			PTOKEN_GROUPS my_grps)
 {
  grp_list *= well_known_world_sid;
  grp_list *= well_known_authenticated_users_sid;
  if (well_known_system_sid != usersid)
    get_token_group_sidlist (grp_list, my_grps);
  if (!get_server_groups (grp_list, usersid, CHK_DISABLED))
@ -605,8 +634,6 @@ static bool
 get_setgroups_sidlist (cygsidlist &tmp_list, PSID usersid,
 		       PTOKEN_GROUPS my_grps, user_groups &groups)
 {
  tmp_list *= well_known_world_sid;
  tmp_list *= well_known_authenticated_users_sid;
  get_token_group_sidlist (tmp_list, my_grps);
  if (!get_server_groups (tmp_list, usersid, CHK_DISABLED))
    return false;
--- a/winsup/cygwin/wincap.cc
+++ b/winsup/cygwin/wincap.cc
@ -39,6 +39,7 @@ wincaps wincap_vista __attribute__((section (".cygwin_dll_common"), shared)) = {
    has_posix_unlink_semantics:false,
    has_case_sensitive_dirs:false,
    has_posix_rename_semantics:false,
    no_msv1_0_s4u_logon_in_wow64:true,
  },
 };
@ -63,6 +64,7 @@ wincaps wincap_7 __attribute__((section (".cygwin_dll_common"), shared)) = {
    has_posix_unlink_semantics:false,
    has_case_sensitive_dirs:false,
    has_posix_rename_semantics:false,
    no_msv1_0_s4u_logon_in_wow64:true,
  },
 };
@ -87,6 +89,7 @@ wincaps wincap_8 __attribute__((section (".cygwin_dll_common"), shared)) = {
    has_posix_unlink_semantics:false,
    has_case_sensitive_dirs:false,
    has_posix_rename_semantics:false,
    no_msv1_0_s4u_logon_in_wow64:false,
  },
 };
@ -111,6 +114,7 @@ wincaps  wincap_10_1507 __attribute__((section (".cygwin_dll_common"), shared))
    has_posix_unlink_semantics:false,
    has_case_sensitive_dirs:false,
    has_posix_rename_semantics:false,
    no_msv1_0_s4u_logon_in_wow64:false,
  },
 };
@ -135,6 +139,7 @@ wincaps wincap_10_1511 __attribute__((section (".cygwin_dll_common"), shared)) =
    has_posix_unlink_semantics:false,
    has_case_sensitive_dirs:false,
    has_posix_rename_semantics:false,
    no_msv1_0_s4u_logon_in_wow64:false,
  },
 };
@ -159,6 +164,7 @@ wincaps wincap_10_1703 __attribute__((section (".cygwin_dll_common"), shared)) =
    has_posix_unlink_semantics:false,
    has_case_sensitive_dirs:false,
    has_posix_rename_semantics:false,
    no_msv1_0_s4u_logon_in_wow64:false,
  },
 };
@ -183,6 +189,7 @@ wincaps wincap_10_1709 __attribute__((section (".cygwin_dll_common"), shared)) =
    has_posix_unlink_semantics:true,
    has_case_sensitive_dirs:false,
    has_posix_rename_semantics:false,
    no_msv1_0_s4u_logon_in_wow64:false,
  },
 };
@ -207,6 +214,7 @@ wincaps wincap_10_1803 __attribute__((section (".cygwin_dll_common"), shared)) =
    has_posix_unlink_semantics:true,
    has_case_sensitive_dirs:true,
    has_posix_rename_semantics:false,
    no_msv1_0_s4u_logon_in_wow64:false,
  },
 };
@ -231,6 +239,7 @@ wincaps wincap_10_1809 __attribute__((section (".cygwin_dll_common"), shared)) =
    has_posix_unlink_semantics:true,
    has_case_sensitive_dirs:true,
    has_posix_rename_semantics:true,
    no_msv1_0_s4u_logon_in_wow64:true,
  },
 };
@ -303,6 +312,7 @@ wincapc::init ()
      ((wincaps *)caps)->needs_count_in_si_lpres2 = false;
      ((wincaps *)caps)->has_gaa_largeaddress_bug = false;
      ((wincaps *)caps)->has_broken_prefetchvm = false;
      ((wincaps *)caps)->no_msv1_0_s4u_logon_in_wow64 = false;
    }
  __small_sprintf (osnam, "NT-%d.%d", version.dwMajorVersion,
--- a/winsup/cygwin/wincap.h
+++ b/winsup/cygwin/wincap.h
@ -33,6 +33,7 @@ struct wincaps
    unsigned has_posix_unlink_semantics		: 1;
    unsigned has_case_sensitive_dirs		: 1;
    unsigned has_posix_rename_semantics		: 1;
    unsigned no_msv1_0_s4u_logon_in_wow64	: 1;
  };
 };
@ -87,6 +88,7 @@ public:
  bool	IMPLEMENT (has_posix_unlink_semantics)
  bool	IMPLEMENT (has_case_sensitive_dirs)
  bool	IMPLEMENT (has_posix_rename_semantics)
  bool	IMPLEMENT (no_msv1_0_s4u_logon_in_wow64)
  void disable_case_sensitive_dirs ()
  {