JehanneOS/newlib
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Change length for domain buffers from INTERNET_MAX_HOST_NAME_LENGTH to

Browse Source 
MAX_DOMAIN_NAME_LEN throughout.
	* cyglsa.h (CYG_LSA_MAGIC): New value.
	(cyglsa_t): Define username and domain as WCHAR arrays.
	* errno.cc (errmap): Add mapping for ERROR_NONE_MAPPED.
	* sec_auth.cc: Drop 'w' prefix from WCHAR string variable names where
	appropriate.
	(extract_nt_dom_user): Prefer resolving by SID before resolving by
	domain\name pair.
	(cygwin_logon_user): Don't print cleartext password in debug output.
	Change comment.
	(get_user_groups): Revert calls to LookupAccountNameW to use NULL
	server instead of explicit server name, according to MSDN.
	(get_user_local_groups): Ditto.
	(get_server_groups): Fetch domain and user name from usersid per
	LookupAccountSidW instead of calling extract_nt_dom_user.
	(lsaauth): Fetch domain and user name from usersid per LookupAccountSidW
	instead of calling extract_nt_dom_user.
	* sec_helper.cc (cygpriv): Convert to wchar_t pointer array.
	(privilege_luid): Convert first parameter to  PWCHAR.
	(privilege_name): Return wchar_t pointer.
	(set_privileges): Accommodate debug output.
	* security.h (privilege_luid): Change prototype accordingly.
This commit is contained in:
Corinna Vinschen 2008-07-11 10:00:36 +00:00
parent 186a804c15
commit 9a51257715
7 changed files with 135 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
winsup/cygwin/ChangeLog
View File

@ -1,3 +1,29 @@
2008-07-11 Corinna Vinschen <corinna@vinschen.de>
Change length for domain buffers from INTERNET_MAX_HOST_NAME_LENGTH to
MAX_DOMAIN_NAME_LEN throughout.
* cyglsa.h (CYG_LSA_MAGIC): New value.
(cyglsa_t): Define username and domain as WCHAR arrays.
* errno.cc (errmap): Add mapping for ERROR_NONE_MAPPED.
* sec_auth.cc: Drop 'w' prefix from WCHAR string variable names where
appropriate.
(extract_nt_dom_user): Prefer resolving by SID before resolving by
domain\name pair.
(cygwin_logon_user): Don't print cleartext password in debug output.
Change comment.
(get_user_groups): Revert calls to LookupAccountNameW to use NULL
server instead of explicit server name, according to MSDN.
(get_user_local_groups): Ditto.
(get_server_groups): Fetch domain and user name from usersid per
LookupAccountSidW instead of calling extract_nt_dom_user.
(lsaauth): Fetch domain and user name from usersid per LookupAccountSidW
instead of calling extract_nt_dom_user.
* sec_helper.cc (cygpriv): Convert to wchar_t pointer array.
(privilege_luid): Convert first parameter to PWCHAR.
(privilege_name): Return wchar_t pointer.
(set_privileges): Accommodate debug output.
* security.h (privilege_luid): Change prototype accordingly.
2008-07-10 Corinna Vinschen <corinna@vinschen.de> 2008-07-10 Corinna Vinschen <corinna@vinschen.de>
* cyglsa.h (SECURITY_STRING): Define. * cyglsa.h (SECURITY_STRING): Define.

10
winsup/cygwin/cyglsa.h
View File

@ -18,7 +18,11 @@ extern "C" {
#define CYG_LSA_PKGNAME "CygwinLsa" #define CYG_LSA_PKGNAME "CygwinLsa"
#define CYG_LSA_MAGIC 0x0379f014LU #define CYG_LSA_MAGIC_OLD1 0x0379f014LU
/* First change to cyglsa_t.
- Username and domain are now of type WCHAR instead of char.
- domain is MAX_DOMAIN_NAME_LEN instead of INTERNET_MAX_HOST_NAME_LENGTH. */
#define CYG_LSA_MAGIC 0x0379f115LU
/* Datastructures not defined in w32api. */ /* Datastructures not defined in w32api. */
typedef PVOID *PLSA_CLIENT_REQUEST; typedef PVOID *PLSA_CLIENT_REQUEST;
@ -185,8 +189,8 @@ typedef struct
{ {
DWORD magic; DWORD magic;
DWORD checksum; DWORD checksum;
CHAR username[UNLEN + 1]; WCHAR username[UNLEN + 1];
CHAR domain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; WCHAR domain[MAX_DOMAIN_NAME_LEN + 1];
ULONG inf_size; ULONG inf_size;
CYG_LSA_TOKEN_INFORMATION inf; CYG_LSA_TOKEN_INFORMATION inf;
BYTE data[1]; BYTE data[1];

1
winsup/cygwin/errno.cc
View File

@ -95,6 +95,7 @@ static NO_COPY struct
X (NETNAME_DELETED, ENOSHARE), X (NETNAME_DELETED, ENOSHARE),
X (NOACCESS, EFAULT), X (NOACCESS, EFAULT),
X (NONPAGED_SYSTEM_RESOURCES, EAGAIN), X (NONPAGED_SYSTEM_RESOURCES, EAGAIN),
X (NONE_MAPPED, EINVAL),
X (NOT_CONNECTED, ENOLINK), X (NOT_CONNECTED, ENOLINK),
X (NOT_ENOUGH_MEMORY, ENOMEM), X (NOT_ENOUGH_MEMORY, ENOMEM),
X (NOT_OWNER, EPERM), X (NOT_OWNER, EPERM),

161
winsup/cygwin/sec_auth.cc
View File

@ -22,7 +22,8 @@ details. */
#include "dtable.h" #include "dtable.h"
#include "cygheap.h" #include "cygheap.h"
#include "ntdll.h" #include "ntdll.h"
#include "lm.h" #include <lm.h>
#include <iptypes.h>
#include "pwdgrp.h" #include "pwdgrp.h"
#include "cyglsa.h" #include "cyglsa.h"
#include <cygwin/version.h> #include <cygwin/version.h>
@ -37,32 +38,32 @@ cygwin_set_impersonation_token (const HANDLE hToken)
void void
extract_nt_dom_user (const struct passwd *pw, char *domain, char *user) extract_nt_dom_user (const struct passwd *pw, char *domain, char *user)
{ {
char *d, *u, *c;
domain[0] = 0; cygsid psid;
strlcpy (user, pw->pw_name, UNLEN + 1); DWORD ulen = UNLEN + 1;
DWORD dlen = MAX_DOMAIN_NAME_LEN + 1;
SID_NAME_USE use;
debug_printf ("pw_gecos %x (%s)", pw->pw_gecos, pw->pw_gecos); debug_printf ("pw_gecos %x (%s)", pw->pw_gecos, pw->pw_gecos);
if (psid.getfrompw (pw)
&& LookupAccountSid (NULL, psid, user, &ulen, domain, &dlen, &use))
return;
char *d, *u, *c;
domain[0] = '\0';
strlcpy (user, pw->pw_name, UNLEN + 1);
if ((d = strstr (pw->pw_gecos, "U-")) != NULL && if ((d = strstr (pw->pw_gecos, "U-")) != NULL &&
(d == pw->pw_gecos || d[-1] == ',')) (d == pw->pw_gecos || d[-1] == ','))
{ {
c = strechr (d + 2, ','); c = strechr (d + 2, ',');
if ((u = strechr (d + 2, '\\')) >= c) if ((u = strechr (d + 2, '\\')) >= c)
u = d + 1; u = d + 1;
else if (u - d <= INTERNET_MAX_HOST_NAME_LENGTH + 2) else if (u - d <= MAX_DOMAIN_NAME_LEN + 2)
strlcpy (domain, d + 2, u - d - 1); strlcpy (domain, d + 2, u - d - 1);
if (c - u <= UNLEN + 1) if (c - u <= UNLEN + 1)
strlcpy (user, u + 1, c - u); strlcpy (user, u + 1, c - u);
} }
if (domain[0])
return;
cygsid psid;
DWORD ulen = UNLEN + 1;
DWORD dlen = INTERNET_MAX_HOST_NAME_LENGTH + 1;
SID_NAME_USE use;
if (psid.getfrompw (pw))
LookupAccountSid (NULL, psid, user, &ulen, domain, &dlen, &use);
} }
extern "C" HANDLE extern "C" HANDLE
@ -74,15 +75,15 @@ cygwin_logon_user (const struct passwd *pw, const char *password)
return INVALID_HANDLE_VALUE; return INVALID_HANDLE_VALUE;
} }
char nt_domain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; char nt_domain[MAX_DOMAIN_NAME_LEN + 1];
char nt_user[UNLEN + 1]; char nt_user[UNLEN + 1];
HANDLE hToken; HANDLE hToken;
extract_nt_dom_user (pw, nt_domain, nt_user); extract_nt_dom_user (pw, nt_domain, nt_user);
debug_printf ("LogonUserA (%s, %s, %s, ...)", nt_user, nt_domain, password); debug_printf ("LogonUserA (%s, %s, ...)", nt_user, nt_domain);
/* CV 2005-06-08: LogonUser should run under the primary process token, /* CV 2005-06-08: LogonUser should run under the primary process token,
otherwise it returns with ERROR_ACCESS_DENIED on W2K. Don't ask me why. */ otherwise it returns with ERROR_ACCESS_DENIED. */
RevertToSelf (); cygheap->user.deimpersonate ();
if (!LogonUserA (nt_user, *nt_domain ? nt_domain : NULL, (char *) password, if (!LogonUserA (nt_user, *nt_domain ? nt_domain : NULL, (char *) password,
LOGON32_LOGON_INTERACTIVE, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, LOGON32_PROVIDER_DEFAULT,
@ -167,43 +168,43 @@ close_local_policy (LSA_HANDLE &lsa)
} }
bool bool
get_logon_server (PWCHAR wdomain, WCHAR *wserver, bool rediscovery) get_logon_server (PWCHAR domain, WCHAR *server, bool rediscovery)
{ {
DWORD dret; DWORD dret;
PDOMAIN_CONTROLLER_INFOW pci; PDOMAIN_CONTROLLER_INFOW pci;
WCHAR *buf; WCHAR *buf;
DWORD size = INTERNET_MAX_HOST_NAME_LENGTH + 1; DWORD size = MAX_COMPUTERNAME_LENGTH + 1;
/* Empty domain is interpreted as local system */ /* Empty domain is interpreted as local system */
if ((GetComputerNameW (wserver + 2, &size)) && if ((GetComputerNameW (server + 2, &size)) &&
(!wcscasecmp (wdomain, wserver + 2) || !wdomain[0])) (!wcscasecmp (domain, server + 2) || !domain[0]))
{ {
wserver[0] = wserver[1] = L'\\'; server[0] = server[1] = L'\\';
return true; return true;
} }
/* Try to get any available domain controller for this domain */ /* Try to get any available domain controller for this domain */
dret = DsGetDcNameW (NULL, wdomain, NULL, NULL, dret = DsGetDcNameW (NULL, domain, NULL, NULL,
rediscovery ? DS_FORCE_REDISCOVERY : 0, &pci); rediscovery ? DS_FORCE_REDISCOVERY : 0, &pci);
if (dret == ERROR_SUCCESS) if (dret == ERROR_SUCCESS)
{ {
wcscpy (wserver, pci->DomainControllerName); wcscpy (server, pci->DomainControllerName);
NetApiBufferFree (pci); NetApiBufferFree (pci);
debug_printf ("DC: rediscovery: %d, server: %W", rediscovery, wserver); debug_printf ("DC: rediscovery: %d, server: %W", rediscovery, server);
return true; return true;
} }
else if (dret == ERROR_PROC_NOT_FOUND) else if (dret == ERROR_PROC_NOT_FOUND)
{ {
/* NT4 w/o DSClient */ /* NT4 w/o DSClient */
if (rediscovery) if (rediscovery)
dret = NetGetAnyDCName (NULL, wdomain, (LPBYTE *) &buf); dret = NetGetAnyDCName (NULL, domain, (LPBYTE *) &buf);
else else
dret = NetGetDCName (NULL, wdomain, (LPBYTE *) &buf); dret = NetGetDCName (NULL, domain, (LPBYTE *) &buf);
if (dret == NERR_Success) if (dret == NERR_Success)
{ {
wcscpy (wserver, buf); wcscpy (server, buf);
NetApiBufferFree (buf); NetApiBufferFree (buf);
debug_printf ("NT: rediscovery: %d, server: %W", rediscovery, wserver); debug_printf ("NT: rediscovery: %d, server: %W", rediscovery, server);
return true; return true;
} }
} }
@ -212,16 +213,16 @@ get_logon_server (PWCHAR wdomain, WCHAR *wserver, bool rediscovery)
} }
static bool static bool
get_user_groups (WCHAR *wlogonserver, cygsidlist &grp_list, get_user_groups (WCHAR *logonserver, cygsidlist &grp_list,
PWCHAR wuser, PWCHAR wdomain) PWCHAR user, PWCHAR domain)
{ {
WCHAR dgroup[INTERNET_MAX_HOST_NAME_LENGTH + GNLEN + 2]; WCHAR dgroup[MAX_DOMAIN_NAME_LEN + GNLEN + 2];
LPGROUP_USERS_INFO_0 buf; LPGROUP_USERS_INFO_0 buf;
DWORD cnt, tot, len; DWORD cnt, tot, len;
NET_API_STATUS ret; NET_API_STATUS ret;
/* Look only on logonserver */ /* Look only on logonserver */
ret = NetUserGetGroups (wlogonserver, wuser, 0, (LPBYTE *) &buf, ret = NetUserGetGroups (logonserver, user, 0, (LPBYTE *) &buf,
MAX_PREFERRED_LENGTH, &cnt, &tot); MAX_PREFERRED_LENGTH, &cnt, &tot);
if (ret) if (ret)
{ {
@ -230,26 +231,25 @@ get_user_groups (WCHAR *wlogonserver, cygsidlist &grp_list,
return ret == NERR_UserNotFound; return ret == NERR_UserNotFound;
} }
len = wcslen (wdomain); len = wcslen (domain);
wcscpy (dgroup, wdomain); wcscpy (dgroup, domain);
dgroup[len++] = L'\\'; dgroup[len++] = L'\\';
for (DWORD i = 0; i < cnt; ++i) for (DWORD i = 0; i < cnt; ++i)
{ {
cygsid gsid; cygsid gsid;
DWORD glen = MAX_SID_LEN; DWORD glen = MAX_SID_LEN;
WCHAR domain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; WCHAR dom[MAX_DOMAIN_NAME_LEN + 1];
DWORD dlen = sizeof (domain); DWORD dlen = sizeof (dom);
SID_NAME_USE use = SidTypeInvalid; SID_NAME_USE use = SidTypeInvalid;
wcscpy (dgroup + len, buf[i].grui0_name); wcscpy (dgroup + len, buf[i].grui0_name);
if (!LookupAccountNameW (wlogonserver, dgroup, gsid, &glen, if (!LookupAccountNameW (NULL, dgroup, gsid, &glen, dom, &dlen, &use))
domain, &dlen, &use)) debug_printf ("LookupAccountName(%W), %E", dgroup);
debug_printf ("LookupAccountName(%s), %E", dgroup);
else if (legal_sid_type (use)) else if (legal_sid_type (use))
grp_list += gsid; grp_list += gsid;
else else
debug_printf ("Global group %s invalid. Use: %d", dgroup, use); debug_printf ("Global group %W invalid. Use: %d", dgroup, use);
} }
NetApiBufferFree (buf); NetApiBufferFree (buf);
@ -257,7 +257,7 @@ get_user_groups (WCHAR *wlogonserver, cygsidlist &grp_list,
} }
static bool static bool
is_group_member (PWCHAR wlogonserver, PWCHAR wgroup, PSID pusersid, is_group_member (PWCHAR logonserver, PWCHAR group, PSID pusersid,
cygsidlist &grp_list) cygsidlist &grp_list)
{ {
LPLOCALGROUP_MEMBERS_INFO_1 buf; LPLOCALGROUP_MEMBERS_INFO_1 buf;
@ -265,7 +265,7 @@ is_group_member (PWCHAR wlogonserver, PWCHAR wgroup, PSID pusersid,
NET_API_STATUS ret; NET_API_STATUS ret;
/* Members can be users or global groups */ /* Members can be users or global groups */
ret = NetLocalGroupGetMembers (wlogonserver, wgroup, 1, (LPBYTE *) &buf, ret = NetLocalGroupGetMembers (logonserver, group, 1, (LPBYTE *) &buf,
MAX_PREFERRED_LENGTH, &cnt, &tot, NULL); MAX_PREFERRED_LENGTH, &cnt, &tot, NULL);
if (ret) if (ret)
return false; return false;
@ -301,14 +301,14 @@ is_group_member (PWCHAR wlogonserver, PWCHAR wgroup, PSID pusersid,
} }
static bool static bool
get_user_local_groups (PWCHAR wlogonserver, PWCHAR wdomain, get_user_local_groups (PWCHAR logonserver, PWCHAR domain,
cygsidlist &grp_list, PSID pusersid) cygsidlist &grp_list, PSID pusersid)
{ {
LPLOCALGROUP_INFO_0 buf; LPLOCALGROUP_INFO_0 buf;
DWORD cnt, tot; DWORD cnt, tot;
NET_API_STATUS ret; NET_API_STATUS ret;
ret = NetLocalGroupEnum (wlogonserver, 0, (LPBYTE *) &buf, ret = NetLocalGroupEnum (logonserver, 0, (LPBYTE *) &buf,
MAX_PREFERRED_LENGTH, &cnt, &tot, NULL); MAX_PREFERRED_LENGTH, &cnt, &tot, NULL);
if (ret) if (ret)
{ {
@ -316,33 +316,33 @@ get_user_local_groups (PWCHAR wlogonserver, PWCHAR wdomain,
return false; return false;
} }
WCHAR domlocal_grp[INTERNET_MAX_HOST_NAME_LENGTH + GNLEN + 2]; WCHAR domlocal_grp[MAX_DOMAIN_NAME_LEN + GNLEN + 2];
WCHAR builtin_grp[sizeof ("BUILTIN\\") + GNLEN + 2]; WCHAR builtin_grp[sizeof ("BUILTIN\\") + GNLEN + 2];
PWCHAR dg_ptr, bg_ptr; PWCHAR dg_ptr, bg_ptr;
SID_NAME_USE use; SID_NAME_USE use;
dg_ptr = wcpcpy (domlocal_grp, wdomain); dg_ptr = wcpcpy (domlocal_grp, domain);
*dg_ptr++ = L'\\'; *dg_ptr++ = L'\\';
bg_ptr = wcpcpy (builtin_grp, L"BUILTIN\\"); bg_ptr = wcpcpy (builtin_grp, L"BUILTIN\\");
for (DWORD i = 0; i < cnt; ++i) for (DWORD i = 0; i < cnt; ++i)
if (is_group_member (wlogonserver, buf[i].lgrpi0_name, pusersid, grp_list)) if (is_group_member (logonserver, buf[i].lgrpi0_name, pusersid, grp_list))
{ {
cygsid gsid; cygsid gsid;
DWORD glen = MAX_SID_LEN; DWORD glen = MAX_SID_LEN;
WCHAR dom[INTERNET_MAX_HOST_NAME_LENGTH + 1]; WCHAR dom[MAX_DOMAIN_NAME_LEN + 1];
DWORD domlen = sizeof (dom); DWORD domlen = sizeof (dom);
bool builtin = false; bool builtin = false;
use = SidTypeInvalid; use = SidTypeInvalid;
wcscpy (dg_ptr, buf[i].lgrpi0_name); wcscpy (dg_ptr, buf[i].lgrpi0_name);
if (!LookupAccountNameW (wlogonserver, domlocal_grp, gsid, &glen, if (!LookupAccountNameW (NULL, domlocal_grp, gsid, &glen,
dom, &domlen, &use)) dom, &domlen, &use))
{ {
if (GetLastError () != ERROR_NONE_MAPPED) if (GetLastError () != ERROR_NONE_MAPPED)
debug_printf ("LookupAccountName(%W), %E", domlocal_grp); debug_printf ("LookupAccountName(%W), %E", domlocal_grp);
wcscpy (bg_ptr, dg_ptr); wcscpy (bg_ptr, dg_ptr);
if (!LookupAccountNameW (wlogonserver, builtin_grp, gsid, &glen, if (!LookupAccountNameW (NULL, builtin_grp, gsid, &glen,
dom, &domlen, &use)) dom, &domlen, &use))
debug_printf ("LookupAccountName(%W), %E", builtin_grp); debug_printf ("LookupAccountName(%W), %E", builtin_grp);
builtin = true; builtin = true;
@ -431,11 +431,12 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
bool bool
get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw) get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw)
{ {
char user[UNLEN + 1]; WCHAR user[UNLEN + 1];
WCHAR wuser[UNLEN + 1]; WCHAR domain[MAX_DOMAIN_NAME_LEN + 1];
char domain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; WCHAR server[INTERNET_MAX_HOST_NAME_LENGTH + 3];
WCHAR wdomain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; DWORD ulen = UNLEN + 1;
WCHAR wserver[INTERNET_MAX_HOST_NAME_LENGTH + 3]; DWORD dlen = MAX_DOMAIN_NAME_LEN + 1;
SID_NAME_USE use;
if (well_known_system_sid == usersid) if (well_known_system_sid == usersid)
{ {
@ -446,14 +447,17 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw)
grp_list *= well_known_world_sid; grp_list *= well_known_world_sid;
grp_list *= well_known_authenticated_users_sid; grp_list *= well_known_authenticated_users_sid;
extract_nt_dom_user (pw, domain, user);
sys_mbstowcs (wdomain, INTERNET_MAX_HOST_NAME_LENGTH + 1, domain); if (!LookupAccountSidW (NULL, usersid, user, &ulen, domain, &dlen, &use))
sys_mbstowcs (wuser, UNLEN + 1, user); {
if (get_logon_server (wdomain, wserver, false) __seterrno ();
&& !get_user_groups (wserver, grp_list, wuser, wdomain) return false;
&& get_logon_server (wdomain, wserver, true)) }
get_user_groups (wserver, grp_list, wuser, wdomain); if (get_logon_server (domain, server, false)
if (get_user_local_groups (wserver, wdomain, grp_list, usersid)) && !get_user_groups (server, grp_list, user, domain)
&& get_logon_server (domain, server, true))
get_user_groups (server, grp_list, user, domain);
if (get_user_local_groups (server, domain, grp_list, usersid))
{ {
get_unix_group_sidlist (pw, grp_list); get_unix_group_sidlist (pw, grp_list);
return true; return true;
@ -564,7 +568,6 @@ get_priv_list (LSA_HANDLE lsa, cygsid &usersid, cygsidlist &grp_list,
ULONG cnt; ULONG cnt;
PTOKEN_PRIVILEGES privs = NULL; PTOKEN_PRIVILEGES privs = NULL;
NTSTATUS ret; NTSTATUS ret;
char buf[INTERNET_MAX_HOST_NAME_LENGTH + 1];
if (usersid == well_known_system_sid) if (usersid == well_known_system_sid)
return get_system_priv_list (size); return get_system_priv_list (size);
@ -587,9 +590,7 @@ get_priv_list (LSA_HANDLE lsa, cygsid &usersid, cygsidlist &grp_list,
PTOKEN_PRIVILEGES tmp; PTOKEN_PRIVILEGES tmp;
DWORD tmp_count; DWORD tmp_count;
sys_wcstombs (buf, sizeof (buf), if (!privilege_luid (privstrs[i].Buffer, &priv))
privstrs[i].Buffer, privstrs[i].Length / 2);
if (!privilege_luid (buf, &priv))
continue; continue;
if (privs) if (privs)
@ -893,7 +894,7 @@ out:
free (my_tok_gsids); free (my_tok_gsids);
close_local_policy (lsa); close_local_policy (lsa);
debug_printf ("0x%x = create_token ()", primary_token); debug_printf ("%p = create_token ()", primary_token);
return primary_token; return primary_token;
} }
@ -912,6 +913,9 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
LSA_STRING str; LSA_STRING str;
CHAR buf[16]; CHAR buf[16];
} origin; } origin;
DWORD ulen = UNLEN + 1;
DWORD dlen = MAX_DOMAIN_NAME_LEN + 1;
SID_NAME_USE use;
cyglsa_t *authinf = NULL; cyglsa_t *authinf = NULL;
ULONG authinf_size; ULONG authinf_size;
TOKEN_SOURCE ts; TOKEN_SOURCE ts;
@ -1034,7 +1038,12 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
authinf->magic = CYG_LSA_MAGIC; authinf->magic = CYG_LSA_MAGIC;
extract_nt_dom_user (pw, authinf->domain, authinf->username); if (!LookupAccountSidW (NULL, usersid, authinf->username, &ulen,
authinf->domain, &dlen, &use))
{
__seterrno ();
goto out;
}
/* Store stuff in authinf with offset relative to start of "inf" member, /* Store stuff in authinf with offset relative to start of "inf" member,
instead of using pointers. */ instead of using pointers. */
@ -1135,7 +1144,7 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
if (GetTokenInformation (user_token, TokenLinkedToken, if (GetTokenInformation (user_token, TokenLinkedToken,
(PVOID) &linked, sizeof linked, &size)) (PVOID) &linked, sizeof linked, &size))
{ {
debug_printf ("Linked Token: %lu", linked.LinkedToken); debug_printf ("Linked Token: %p", linked.LinkedToken);
if (linked.LinkedToken) if (linked.LinkedToken)
user_token = linked.LinkedToken; user_token = linked.LinkedToken;
} }
@ -1154,6 +1163,6 @@ out:
LsaDeregisterLogonProcess (lsa_hdl); LsaDeregisterLogonProcess (lsa_hdl);
pop_self_privilege (); pop_self_privilege ();
debug_printf ("0x%x = lsaauth ()", user_token); debug_printf ("%p = lsaauth ()", user_token);
return user_token; return user_token;
} }

20
winsup/cygwin/sec_helper.cc
View File

@ -13,6 +13,7 @@ details. */
#include "winsup.h" #include "winsup.h"
#include <stdlib.h> #include <stdlib.h>
#include <sys/acl.h> #include <sys/acl.h>
#include <wchar.h>
#include "cygerrno.h" #include "cygerrno.h"
#include "security.h" #include "security.h"
#include "path.h" #include "path.h"
@ -298,11 +299,14 @@ security_descriptor::free ()
sd_size = 0; sd_size = 0;
} }
#undef TEXT
#define TEXT(q) L##q
/* Index must match the correspoding foo_PRIVILEGE value, see security.h. */ /* Index must match the correspoding foo_PRIVILEGE value, see security.h. */
static const char *cygpriv[] = static const wchar_t *cygpriv[] =
{ {
"", L"",
"", L"",
SE_CREATE_TOKEN_NAME, SE_CREATE_TOKEN_NAME,
SE_ASSIGNPRIMARYTOKEN_NAME, SE_ASSIGNPRIMARYTOKEN_NAME,
SE_LOCK_MEMORY_NAME, SE_LOCK_MEMORY_NAME,
@ -340,13 +344,13 @@ static const char *cygpriv[] =
}; };
bool bool
privilege_luid (const char *pname, LUID *luid) privilege_luid (const PWCHAR pname, LUID *luid)
{ {
ULONG idx; ULONG idx;
for (idx = SE_CREATE_TOKEN_PRIVILEGE; for (idx = SE_CREATE_TOKEN_PRIVILEGE;
idx <= SE_MAX_WELL_KNOWN_PRIVILEGE; idx <= SE_MAX_WELL_KNOWN_PRIVILEGE;
++idx) ++idx)
if (!strcmp (cygpriv[idx], pname)) if (!wcscmp (cygpriv[idx], pname))
{ {
luid->HighPart = 0; luid->HighPart = 0;
luid->LowPart = idx; luid->LowPart = idx;
@ -355,12 +359,12 @@ privilege_luid (const char *pname, LUID *luid)
return false; return false;
} }
static const char * static const wchar_t *
privilege_name (const LUID &priv_luid) privilege_name (const LUID &priv_luid)
{ {
if (priv_luid.HighPart || priv_luid.LowPart < SE_CREATE_TOKEN_PRIVILEGE if (priv_luid.HighPart || priv_luid.LowPart < SE_CREATE_TOKEN_PRIVILEGE
|| priv_luid.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE) || priv_luid.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE)
return "<unknown privilege>"; return L"<unknown privilege>";
return cygpriv[priv_luid.LowPart]; return cygpriv[priv_luid.LowPart];
} }
@ -393,7 +397,7 @@ set_privilege (HANDLE token, DWORD privilege, bool enable)
out: out:
if (ret < 0) if (ret < 0)
debug_printf ("%d = set_privilege ((token %x) %s, %d)\n", ret, token, debug_printf ("%d = set_privilege ((token %x) %W, %d)\n", ret, token,
privilege_name (new_priv.Privileges[0].Luid), enable); privilege_name (new_priv.Privileges[0].Luid), enable);
return ret; return ret;
} }

2
winsup/cygwin/security.h
View File

@ -327,7 +327,7 @@ extern cygpsid mandatory_medium_integrity_sid;
extern cygpsid mandatory_high_integrity_sid; extern cygpsid mandatory_high_integrity_sid;
extern cygpsid mandatory_system_integrity_sid; extern cygpsid mandatory_system_integrity_sid;
bool privilege_luid (const char *pname, LUID *luid); bool privilege_luid (const PWCHAR pname, LUID *luid);
inline BOOL inline BOOL
legal_sid_type (SID_NAME_USE type) legal_sid_type (SID_NAME_USE type)

5
winsup/cygwin/uinfo.cc
View File

@ -14,6 +14,7 @@ details. */
#include <wininet.h> #include <wininet.h>
#include <stdlib.h> #include <stdlib.h>
#include <lm.h> #include <lm.h>
#include <iptypes.h>
#include <sys/cygwin.h> #include <sys/cygwin.h>
#include "cygerrno.h" #include "cygerrno.h"
#include "pinfo.h" #include "pinfo.h"
@ -369,9 +370,9 @@ cygheap_user::env_logsrv (const char *name, size_t namelen)
if (!mydomain || ascii_strcasematch (myname, "SYSTEM")) if (!mydomain || ascii_strcasematch (myname, "SYSTEM"))
return almost_null; return almost_null;
WCHAR wdomain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; WCHAR wdomain[MAX_DOMAIN_NAME_LEN + 1];
WCHAR wlogsrv[INTERNET_MAX_HOST_NAME_LENGTH + 3]; WCHAR wlogsrv[INTERNET_MAX_HOST_NAME_LENGTH + 3];
sys_mbstowcs (wdomain, INTERNET_MAX_HOST_NAME_LENGTH + 1, mydomain); sys_mbstowcs (wdomain, MAX_DOMAIN_NAME_LEN + 1, mydomain);
cfree_and_set (plogsrv, almost_null); cfree_and_set (plogsrv, almost_null);
if (get_logon_server (wdomain, wlogsrv, false)) if (get_logon_server (wdomain, wlogsrv, false))
sys_wcstombs_alloc (&plogsrv, HEAP_STR, wlogsrv); sys_wcstombs_alloc (&plogsrv, HEAP_STR, wlogsrv);