From f5a9dd02c440696624e74af4a022c22aabbdced5 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Tue, 13 Jan 2015 09:06:53 +0000 Subject: [PATCH] * uinfo.cc (pwdgrp::fetch_account_from_windows): Drop code from 2014-11-17, always prepending domain to NT SERVICE accounts when searching by name. Fix test expression to allow fully qualified names for NT SERVICE accounts. Extend comment to explain a bit. --- winsup/cygwin/ChangeLog | 7 +++++++ winsup/cygwin/uinfo.cc | 24 ++++++++---------------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 97280a09f..3e27499ba 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,10 @@ +2015-01-13 Corinna Vinschen + + * uinfo.cc (pwdgrp::fetch_account_from_windows): Drop code from + 2014-11-17, always prepending domain to NT SERVICE accounts when + searching by name. Fix test expression to allow fully qualified + names for NT SERVICE accounts. Extend comment to explain a bit. + 2015-01-12 Pierre A. Humblet * minires-os-if.c (cygwin_query): Change questions into answers. diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc index 6a2232d32..89ed5c27b 100644 --- a/winsup/cygwin/uinfo.cc +++ b/winsup/cygwin/uinfo.cc @@ -1749,19 +1749,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen, &acc_type); } - /* LookupAccountName doesn't find NT SERVICE accounts. Try just for - kicks (and to make TrustedInstaller work here :-P */ - else if (!ret) - { - p = wcpcpy (name, L"NT SERVICE"); - *p = L'\\'; - sys_mbstowcs (p + 1, UNLEN + 1, arg.name); - slen = SECURITY_MAX_SID_SIZE; - dlen = DNLEN + 1; - sid = csid; - ret = LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen, - &acc_type); - } if (!ret) { debug_printf ("LookupAccountNameW (%W), %E", name); @@ -1807,12 +1794,17 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) /* All is well if db_prefix is always. */ if (cygheap->pg.nss_prefix_always ()) break; - /* Otherwise, no fully_qualified for builtin accounts. */ + /* Otherwise, no fully_qualified for builtin accounts, except for + NT SERVICE, for which we require the prefix. Note that there's + no equivalent test in the `if (!fq_name)' branch above, because + LookupAccountName never returns NT SERVICE accounts if they are + not prependend with the domain anyway. */ if (sid_id_auth (sid) != 5 /* SECURITY_NT_AUTHORITY */ - || sid_sub_auth (sid, 0) != SECURITY_NT_NON_UNIQUE) + || (sid_sub_auth (sid, 0) != SECURITY_NT_NON_UNIQUE + && sid_sub_auth (sid, 0) != SECURITY_SERVICE_ID_BASE_RID)) { debug_printf ("Invalid account name <%s> (fully qualified/" - "not NON_UNIQUE)", arg.name); + "not NON_UNIQUE or NT_SERVICE)", arg.name); return NULL; } /* All is well if db_prefix is primary. */