* cygheap.h (class cygheap_domain_info): Remove lowest_tdo_posix_offset.

* ldap.cc (cyg_ldap::fetch_posix_offset_for_domain): Return UINT32_MAX in case of error. * security.h (PRIMARY_POSIX_OFFSET): Define. (NOACCESS_POSIX_OFFSET): Define. (UNUSABLE_POSIX_OFFSET): Define. * uinfo.cc (cygheap_domain_info::init): Drop initializing lowest_tdo_posix_offset. (pwdgrp::fetch_account_from_file): Set PosixOffset to either UNUSABLE_POSIX_OFFSET or NOACCESS_POSIX_OFFSET in case we don't get a sensible offset from AD. Explain why. Drop setting ch lowest_tdo_posix_offset. (pwdgrp::fetch_account_from_windows): Replace constant 0x100000 with PRIMARY_POSIX_OFFSET throughout.
author: Corinna Vinschen <corinna@vinschen.de> 2014-07-29 08:53:13 +0000
committer: Corinna Vinschen <corinna@vinschen.de> 2014-07-29 08:53:13 +0000
commit: 898e26c82f9f8b105f867516f7866c3479986628 (patch)
tree: e3108f27e163c7fd916ce89c07c98725657a5834 /winsup/cygwin/uinfo.cc
parent: ca6a65aa641625c8948d731c6a3b10a8ee9cd684 (diff)
download: cygnal-898e26c82f9f8b105f867516f7866c3479986628.tar.gz
cygnal-898e26c82f9f8b105f867516f7866c3479986628.tar.bz2
cygnal-898e26c82f9f8b105f867516f7866c3479986628.zip
1 files changed, 18 insertions, 16 deletions
diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc
index 0151563fe..ed533bd8a 100644
--- a/winsup/cygwin/uinfo.cc
+++ b/winsup/cygwin/uinfo.cc
@@ -815,9 +815,6 @@ cygheap_domain_info::init ()
   lsa_close_policy (lsa);
   if (cygheap->dom.member_machine ())
     {
-      /* For a domain member machine fetch all trusted domain info.
-	 Start out with UNIX_POSIX_OFFSET. */
-      lowest_tdo_posix_offset = UNIX_POSIX_OFFSET;
       ret = DsEnumerateDomainTrustsW (NULL, DS_DOMAIN_DIRECT_INBOUND
 					    | DS_DOMAIN_DIRECT_OUTBOUND
 					    | DS_DOMAIN_IN_FOREST,
@@ -1138,24 +1135,29 @@ pwdgrp::fetch_account_from_file (fetch_user_arg_t &arg)
 static ULONG
 fetch_posix_offset (PDS_DOMAIN_TRUSTSW td, cyg_ldap *cldap)
 {
-  uint32_t id_val = 0;
+  uint32_t id_val = UINT32_MAX;
 
   if (!td->PosixOffset && !(td->Flags & DS_DOMAIN_PRIMARY) && td->DomainSid)
     {
       if (cldap->open (NULL) == NO_ERROR)
 	id_val = cldap->fetch_posix_offset_for_domain (td->DnsDomainName);
-      if (!id_val)
+      if (id_val < PRIMARY_POSIX_OFFSET)
+	{
+	  /* If the offset is less than the primay domain offset, we're bound
+	     to suffer collisions with system and local accounts.  Move offset
+	     to a fixed replacement fake offset.  This may result in collisions
+	     between other domains all of which were moved to this replacement
+	     offset, but we can't fix all problems caused by careless admins. */
+	  id_val = UNUSABLE_POSIX_OFFSET;
+	}
+      else if (id_val == UINT32_MAX)
 	{
 	  /* We're probably running under a local account, so we're not allowed
-	     to fetch any information from AD beyond the most obvious.
-	     Alternatively we're suffering IT madness and some admin has
-	     actually set the POSIX offset to 0.  Either way, fake a reasonable
-	     posix offset and hope for the best. */
-	  id_val = cygheap->dom.lowest_tdo_posix_offset - 0x00800000;
+	     to fetch any information from AD beyond the most obvious.  Fake a
+	     reasonable posix offset as above and hope for the best. */
+	  id_val = NOACCESS_POSIX_OFFSET;
 	}
       td->PosixOffset = id_val;
-      if (id_val < cygheap->dom.lowest_tdo_posix_offset)
-	cygheap->dom.lowest_tdo_posix_offset = id_val;
     }
   return td->PosixOffset;
 }
@@ -1425,7 +1427,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
 	  /* Identity assertion SIDs. */
 	  __small_swprintf (sidstr, L"S-1-18-%u", arg.id & 0xffff);
 	}
-      else if (arg.id < 0x100000)
+      else if (arg.id < PRIMARY_POSIX_OFFSET)
 	{
 	  /* Nothing. */
 	  debug_printf ("Invalid POSIX id %u", arg.id);
@@ -1467,7 +1469,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
 	    {
 	      /* Primary domain */
 	      PWCHAR s = cygheap->dom.primary_sid ().pstring (sidstr);
-	      __small_swprintf (s, L"-%u", arg.id - 0x100000);
+	      __small_swprintf (s, L"-%u", arg.id - PRIMARY_POSIX_OFFSET);
 	    }
 	  posix_offset = 0;
 	}
@@ -1526,7 +1528,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
 	      /* Primary domain account? */
 	      if (!wcscasecmp (dom, cygheap->dom.primary_flat_name ()))
 		{
-		  posix_offset = 0x100000;
+		  posix_offset = PRIMARY_POSIX_OFFSET;
 		  /* In theory domain should have been set to
 		     cygheap->dom.primary_dns_name (), but it turns out
 		     that not setting the domain here has advantages.
@@ -1859,7 +1861,7 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
 	  if (RtlEqualSid (sid, cygheap->dom.primary_sid ()))
 	    {
 	      domain = cygheap->dom.primary_flat_name ();
-	      posix_offset = 0x100000;
+	      posix_offset = PRIMARY_POSIX_OFFSET;
 	    }
 	  else
 	    for (ULONG idx = 0; (td = cygheap->dom.trusted_domain (idx)); ++idx)
author	Corinna Vinschen <corinna@vinschen.de>	2014-07-29 08:53:13 +0000
committer	Corinna Vinschen <corinna@vinschen.de>	2014-07-29 08:53:13 +0000
commit	898e26c82f9f8b105f867516f7866c3479986628 (patch)
tree	e3108f27e163c7fd916ce89c07c98725657a5834 /winsup/cygwin/uinfo.cc
parent	ca6a65aa641625c8948d731c6a3b10a8ee9cd684 (diff)
download	cygnal-898e26c82f9f8b105f867516f7866c3479986628.tar.gz cygnal-898e26c82f9f8b105f867516f7866c3479986628.tar.bz2 cygnal-898e26c82f9f8b105f867516f7866c3479986628.zip