diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2009-02-20 16:10:45 +0000 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2009-02-20 16:10:45 +0000 |
| commit | 348267bdf6f48b681eef53cbe50a2f4f96c05bdc (patch) | |
| tree | 1fda254cfadd7faaf5589ebe79563aed10a0bbb8 /winsup/cygwin/sec_auth.cc | |
| parent | 964abbd08e1d48bebe7e1a09d002f60bb8740ed8 (diff) | |
| download | cygnal-348267bdf6f48b681eef53cbe50a2f4f96c05bdc.tar.gz cygnal-348267bdf6f48b681eef53cbe50a2f4f96c05bdc.tar.bz2 cygnal-348267bdf6f48b681eef53cbe50a2f4f96c05bdc.zip | |
* autoload.cc (NetLocalGroupEnum): Remove.
(NetLocalGroupGetMembers): Remove.
(NetUserGetLocalGroups): Add.
* sec_auth.cc (is_group_member): Remove function.
(get_user_local_groups): Get user as string instead of as SID.
Call NetUserGetLocalGroups instead of NetLocalGroupEnum. Drop call
to is_group_member.
(get_server_groups): Call get_user_local_groups with user name instead
of user SID.
Diffstat (limited to 'winsup/cygwin/sec_auth.cc')
| -rw-r--r-- | winsup/cygwin/sec_auth.cc | 110 |
1 files changed, 33 insertions, 77 deletions
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index 0e2dde689..f39b6633e 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -1,7 +1,7 @@ /* sec_auth.cc: NT authentication functions Copyright 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, - 2006, 2007, 2008 Red Hat, Inc. + 2006, 2007, 2008, 2009 Red Hat, Inc. This file is part of Cygwin. @@ -266,59 +266,16 @@ get_user_groups (WCHAR *logonserver, cygsidlist &grp_list, } static bool -is_group_member (PWCHAR logonserver, PWCHAR group, PSID pusersid, - cygsidlist &grp_list) -{ - LPLOCALGROUP_MEMBERS_INFO_1 buf; - DWORD cnt, tot; - NET_API_STATUS ret; - - /* Members can be users or global groups */ - ret = NetLocalGroupGetMembers (logonserver, group, 1, (LPBYTE *) &buf, - MAX_PREFERRED_LENGTH, &cnt, &tot, NULL); - if (ret) - return false; - - bool retval = true; - for (DWORD bidx = 0; bidx < cnt; ++bidx) - if (EqualSid (pusersid, buf[bidx].lgrmi1_sid)) - goto done; - else - { - /* The extra test for the group being a global group or a well-known - group is necessary, since apparently also aliases (for instance - Administrators or Users) can be members of local groups, even - though MSDN states otherwise. The GUI refuses to put aliases into - local groups, but the CLI interface allows it. However, a normal - logon token does not contain groups, in which the user is only - indirectly a member by being a member of an alias in this group. - So we also should not put them into the token group list. - Note: Allowing those groups in our group list renders external - tokens invalid, so that it becomes impossible to logon with - password and valid logon token. */ - for (int glidx = 0; glidx < grp_list.count (); ++glidx) - if ((buf[bidx].lgrmi1_sidusage == SidTypeGroup - || buf[bidx].lgrmi1_sidusage == SidTypeWellKnownGroup) - && EqualSid (grp_list.sids[glidx], buf[bidx].lgrmi1_sid)) - goto done; - } - - retval = false; - done: - NetApiBufferFree (buf); - return retval; -} - -static bool get_user_local_groups (PWCHAR logonserver, PWCHAR domain, - cygsidlist &grp_list, PSID pusersid) + cygsidlist &grp_list, PWCHAR user) { LPLOCALGROUP_INFO_0 buf; DWORD cnt, tot; NET_API_STATUS ret; - ret = NetLocalGroupEnum (logonserver, 0, (LPBYTE *) &buf, - MAX_PREFERRED_LENGTH, &cnt, &tot, NULL); + ret = NetUserGetLocalGroups (logonserver, user, 0, LG_INCLUDE_INDIRECT, + (LPBYTE *) &buf, MAX_PREFERRED_LENGTH, + &cnt, &tot); if (ret) { __seterrno_from_win_error (ret); @@ -335,34 +292,33 @@ get_user_local_groups (PWCHAR logonserver, PWCHAR domain, bg_ptr = wcpcpy (builtin_grp, L"BUILTIN\\"); for (DWORD i = 0; i < cnt; ++i) - if (is_group_member (logonserver, buf[i].lgrpi0_name, pusersid, grp_list)) - { - cygsid gsid; - DWORD glen = MAX_SID_LEN; - WCHAR dom[MAX_DOMAIN_NAME_LEN + 1]; - DWORD domlen = sizeof (dom); - bool builtin = false; - - use = SidTypeInvalid; - wcscpy (dg_ptr, buf[i].lgrpi0_name); - if (!LookupAccountNameW (NULL, domlocal_grp, gsid, &glen, - dom, &domlen, &use)) - { - if (GetLastError () != ERROR_NONE_MAPPED) - debug_printf ("LookupAccountName(%W), %E", domlocal_grp); - wcscpy (bg_ptr, dg_ptr); - if (!LookupAccountNameW (NULL, builtin_grp, gsid, &glen, - dom, &domlen, &use)) - debug_printf ("LookupAccountName(%W), %E", builtin_grp); - builtin = true; - } - if (!legal_sid_type (use)) - debug_printf ("Rejecting local %W. use: %d", dg_ptr, use); - else if (builtin) - grp_list *= gsid; - else - grp_list += gsid; - } + { + cygsid gsid; + DWORD glen = MAX_SID_LEN; + WCHAR dom[MAX_DOMAIN_NAME_LEN + 1]; + DWORD domlen = sizeof (dom); + bool builtin = false; + + use = SidTypeInvalid; + wcscpy (dg_ptr, buf[i].lgrpi0_name); + if (!LookupAccountNameW (NULL, domlocal_grp, gsid, &glen, + dom, &domlen, &use)) + { + if (GetLastError () != ERROR_NONE_MAPPED) + debug_printf ("LookupAccountName(%W), %E", domlocal_grp); + wcscpy (bg_ptr, dg_ptr); + if (!LookupAccountNameW (NULL, builtin_grp, gsid, &glen, + dom, &domlen, &use)) + debug_printf ("LookupAccountName(%W), %E", builtin_grp); + builtin = true; + } + if (!legal_sid_type (use)) + debug_printf ("Rejecting local %W. use: %d", dg_ptr, use); + else if (builtin) + grp_list *= gsid; + else + grp_list += gsid; + } NetApiBufferFree (buf); return true; } @@ -466,7 +422,7 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw) && !get_user_groups (server, grp_list, user, domain) && get_logon_server (domain, server, true)) get_user_groups (server, grp_list, user, domain); - if (get_user_local_groups (server, domain, grp_list, usersid)) + if (get_user_local_groups (server, domain, grp_list, user)) { get_unix_group_sidlist (pw, grp_list); return true; |