From 70e476d27be8e49146c49e8d6e1319100b84d5eb Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Tue, 25 Jul 2006 19:23:23 +0000 Subject: 2006-07-25 Corinna Vinschen * include/cygwin/version.h: Bump DLL version to 1.7.0. 2006-07-25 Corinna Vinschen * select.h: Remove. * fhandler_socket.cc: Don't include select.h. * select.cc: Ditto. 2006-07-25 Corinna Vinschen * cygtls.h: Drop socket related includes. (struct _local_storage): Remove exitsock and exitsock_sin. Add select_sockevt. * cygtls.cc: Accomodate above change throughout. * fhandler.h (class fhandler_socket): Make wsock_evt public. * fhandler_socket.cc (fhandler_socket::fhandler_socket): Accomodate reordering members. (fhandler_socket::evaluate_events): Drop FD_CONNECT event as soon as it gets read once. Never remove FD_WRITE event here. (fhandler_socket::wait_for_events): Wait 50 ms instead of INFINITE for socket events. (fhandler_socket::accept): Fix conditional. Set wsock_events members of accepted socket to useful start values. (fhandler_socket::recv_internal): Always drop FD_READ/FD_OOB events from wsock_events after the call to WSARecvFrom. (fhandler_socket::send_internal): Drop FD_WRITE event from wsock_events if the call to WSASendTo fails with WSAEWOULDBLOCK. Fix return value condition. * select.cc (struct socketinf): Change to accomodate using socket event handling. (peek_socket): Use event handling for peeking socket. (thread_socket): Ditto. (start_thread_socket): Ditto. (socket_cleanup): Same here. * tlsoffsets.h: Regenerate. 2006-07-20 Corinna Vinschen * fhandler.h (class fhandler_socket): Rearrange slightly to keep event handling methods and members together. Drop owner status flag. Split wait method. Rename event handling methods for readability. * fhandler_socket.cc (struct wsa_event): Add owner field. (LOCK_EVENTS): New macro. (UNLOCK_EVENTS): Ditto. (fhandler_socket::init_events): rename from prepare. (fhandler_socket::evaluate_events): First half of former wait method. Do everything but wait. Allow specifiying whether or not events from event_mask should be erased from wsock_events->events. Simplify OOB handling. Allow sending SIGURG to any process (group). (fhandler_socket::wait_for_events): Second half of former wait method. Call evaluate_events and wait in a loop if socket is blocking. (fhandler_socket::release_events): Rename from release. (fhandler_socket::connect): Accomodate above name changes. (fhandler_socket::accept): Ditto. (fhandler_socket::recv_internal): Ditto. (fhandler_socket::send_internal): Ditto. (fhandler_socket::close): Ditto. (fhandler_socket::fcntl): Always set owner to given input value on F_SETOWN. Handle F_GETOWN. * net.cc (fdsock): Accomodate above name changes. 2006-07-20 Corinna Vinschen * fhandler_socket.cc (fhandler_socket::wait): Set Winsock errno to WSAEWOULDBLOCK instead of WSAEINPROGRESS. 2006-07-18 Brian Ford Corinna Vinschen * winsup.h (mmap_region_status): New enum. (mmap_is_attached_or_noreserve_page): Adjust prototype and rename as below. * mmap.cc (mmap_is_attached_or_noreserve_page): Rename mmap_is_attached_or_noreserve. Add region length parameter. Return enum above. * exceptions.cc (_cygtls::handle_exceptions): Accomodate above. * fhandler.cc (fhandler_base::raw_read): Call above for NOACCESS errors and retry on success to allow reads into untouched MAP_NORESERVE buffers. 2006-07-18 Corinna Vinschen * cygwin.din (posix_openpt): Export. * tty.cc (posix_openpt): New function. * include/cygwin/stdlib.h (posix_openpt): Declare. * include/cygwin/version.h: Bump API minor number. 2006-07-14 Corinna Vinschen * security.cc (get_token_group_sidlist): Always add the interactive group to the token. Add comment. Create logon_id group SID by copying it from incoming group list. (create_token): Add subauth_token parameter. Use information in subauth_token if present. Tweak SourceIdentifier if subauth_token is present for debugging purposes. * security.h (create_token): Add subauth_token parameter in declaration. * syscalls.cc (seteuid32): Call subauth first. Call create_token regardless. Use subauth token in call to create_token if subauth succeeded. 2006-07-13 Corinna Vinschen * include/netinet/in.h: Update copyright. 2006-07-13 Corinna Vinschen * fhandler_socket.cc (fhandler_socket::wait): Rework function so that WaitForMultipleObjects is really only called when necessary. 2006-07-12 Corinna Vinschen * include/netdb.h: Declare rcmd, rcmd_af, rexec, rresvport, rresvport_af, iruserok, iruserok_sa, ruserok. 2006-07-12 Corinna Vinschen * Makefile.in (DLL_OFILES): Drop iruserok.o. Add rcmd.o. * autoload.cc (rcmd): Drop definition. * cygwin.din: Export bindresvport, bindresvport_sa, iruserok_sa, rcmd_af, rresvport_af. * net.cc (cygwin_rcmd): Remove. (last_used_bindresvport): Rename from last_used_rrecvport. (cygwin_bindresvport_sa): New function implementing bindresvport_sa. (cygwin_bindresvport): New function implementing bindresvport. (cygwin_rresvport): Remove. * include/cygwin/version.h: Bump API minor number. * include/netinet/in.h: Declare bindresvport and bindresvport_sa. * libc/iruserok.c: Remove file. * libc/rcmd.cc: New file implementing rcmd, rcmd_af, rresvport, rresvport_af, iruserok_sa, iruserok and ruserok. 2006-07-12 Corinna Vinschen * fhandler_socket.cc (fhandler_socket::getsockname): Return valid result for unbound sockets. 2006-07-11 Corinna Vinschen * fhandler_socket.cc (fhandler_socket::fixup_after_fork): Handle wsock_mtx and wsock_evt on fork, thus handling close_on_exec correctly. (fhandler_socket::fixup_after_exec): Drop misguided attempt to handle close_on_exec here. (fhandler_socket::dup): Call fixup_after_fork with NULL parent. Add comment. (fhandler_socket::set_close_on_exec): Handle wsock_mtx and wsock_evt. 2006-07-10 Corinna Vinschen * fhandler.h (class fhandler_socket): Add wsock_mtx, wsock_evt and wsock_events members. Remove closed status flag, add listener status flag. Accomodate new implementation of socket event handling methods. Declare recv* and send* functions ssize_t as the POSIX equivalents. (fhandler_socket::recv_internal): Declare. (fhandler_socket::send_internal): Ditto. * fhandler_socket.cc (EVENT_MASK): Define mask of selected events. (fhandler_socket::fhandler_socket): Initialize new members. (fhandler_socket::af_local_setblocking): Don't actually set the socket to blocking mode. Keep sane event selection. (fhandler_socket::af_local_unsetblocking): Don't actually set the socket to previous blocking setting, just remember it. (struct wsa_event): New structure to keep event data per shared socket. (NUM_SOCKS): Define number of shared sockets concurrently handled by all active Cygwin processes. (wsa_events): New shared datastructure keeping all wsa_event records. (socket_serial_number): New shared variable to identify shared sockets. (wsa_slot_mtx): Global mutex to serialize wsa_events access. (search_wsa_event_slot): New static function to select a new wsa_event slot for a new socket. (fhandler_socket::prepare): Rewrite. Prepare event selection per new socket. (fhandler_socket::wait): Rewrite. Wait for socket events in thread safe and multiple process safe. (fhandler_socket::release): Rewrite. Close per-socket descriptor mutex handle and event handle. (fhandler_socket::dup): Duplicate wsock_mtx and wsock_evt. Fix copy-paste error in debug output. (fhandler_socket::connect): Accomodate new event handling. (fhandler_socket::listen): Set listener flag on successful listen. (fhandler_socket::accept): Accomodate new event handling. (fhandler_socket::recv_internal): New inline method centralizing common recv code. (fhandler_socket::recvfrom): Call recv_internal now. (fhandler_socket::recvmsg): Ditto. Streamline copying from iovec to WSABUF. (fhandler_socket::send_internal): New inline method centralizing common send code. (fhandler_socket::sendto): Call send_internal now. (fhandler_socket::sendmsg): Ditto. Streamline copying from iovec to WSABUF. (fhandler_socket::close): Call release now. (fhandler_socket::ioctl): Never actually switch to blocking mode. Just keep track of the setting. * net.cc (fdsock): Call prepare now. (cygwin_connect): Revert again to event driven technique. (cygwin_accept): Ditto. * poll.cc (poll): Don't call recvfrom on a listening socket. Remove special case for failing recvfrom. * include/sys/socket.h: Declare recv* and send* functions ssize_t as requested by POSIX. 2006-07-07 Corinna Vinschen * net.cc (cygwin_inet_ntop): Fix data type of forth parameter. 2006-07-06 Corinna Vinschen * include/cygwin/in6.h (struct in6_addr): Fix typo. 2006-07-06 Corinna Vinschen * cygwin.din: Export in6addr_any, in6addr_loopback, freeaddrinfo, gai_strerror, getaddrinfo, getnameinfo. * fhandler_socket.cc: Include cygwin/in6.h. (get_inet_addr): Accomodate AF_INET6 usage. (fhandler_socket::connect): Ditto. (fhandler_socket::listen): Ditto. (fhandler_socket::sendto): Ditto. * net.cc: Include cygwin/in6.h. (in6addr_any): Define. (in6addr_loopback): Define. (cygwin_socket): Accomodate AF_INET6 usage. (socketpair): Bind socketpairs only to loopback for security. (inet_pton4): New static function. (inet_pton6): Ditto. (cygwin_inet_pton): New AF_INET6 aware inet_pton implementation. (inet_ntop4): New static function. (inet_ntop6): Ditto. (cygwin_inet_ntop): New AF_INET6 aware inet_ntop implementation. (ga_aistruct): New static function. (ga_clone): Ditto. (ga_echeck): Ditto. (ga_nsearch): Ditto. (ga_port): Ditto. (ga_serv): Ditto. (ga_unix): Ditto. (gn_ipv46): Ditto. (ipv4_freeaddrinfo): Ditto. (ipv4_getaddrinfo): Ditto. (ipv4_getnameinfo): Ditto. (gai_errmap_t): New structure holding error code - error string mapping. (cygwin_gai_strerror): New function implementing gai_strerror. (w32_to_gai_err): New static function. (get_ipv6_funcs): Ditto. (load_ipv6_funcs): Ditto. (cygwin_freeaddrinfo): New function implementing freeaddrinfo. (cygwin_getaddrinfo): New function implementing getaddrinfo. (cygwin_getnameinfo): New function implementing getnameinfo. * include/netdb.h: Include stdint.h and cygwin/socket.h. Define data types and macros used by getaddrinfo and friends. Declare freeaddrinfo, gai_strerror, getaddrinfo and getnameinfo. * include/cygwin/in.h: Add IPv6 related IPPROTOs. Remove definition of struct sockaddr_in6. Include cygwin/in6.h instead. * include/cygwin/in6.h: New header file defining IPv6 releated data types and macros. * include/cygwin/socket.h: Enable AF_INET6 and PF_INET6. Add IPv6 related socket options. * include/cygwin/version.h: Bump API minor number. 2006-07-06 Corinna Vinschen * autoload.cc (DsGetDcNameA): Define. (NetGetAnyDCName): Define. * security.cc: Include dsgetdc.h. (DsGetDcNameA): Declare. (DS_FORCE_REDISCOVERY): Define. (get_logon_server): Add bool parameter to control rediscovery of DC. Use DsGetDcNameA function if supported, NetGetDCName/NetGetAnyDCName otherwise. (get_server_groups): Rediscover DC if get_user_groups fails and try again. (get_reg_security): Use correct error code macro when testing RegGetKeySecurity return value. * security.h (get_logon_server): Remove default vaue from wserver parameter. Add rediscovery parameter. * uinfo.cc (cygheap_user::env_logsrv): Accomodate rediscovery parameter in call to get_logon_server. --- winsup/cygwin/security.cc | 126 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 95 insertions(+), 31 deletions(-) (limited to 'winsup/cygwin/security.cc') diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index 23f86e369..0970805ec 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -28,6 +28,7 @@ details. */ #include #include #include +#include #include "cygerrno.h" #include "security.h" #include "path.h" @@ -208,13 +209,21 @@ close_local_policy (LSA_HANDLE &lsa) lsa = INVALID_HANDLE_VALUE; } +/* CV, 2006-07-06: Missing in w32api. */ +extern "C" DWORD WINAPI DsGetDcNameA (LPCSTR, LPCSTR, GUID *, LPCSTR, ULONG, + PDOMAIN_CONTROLLER_INFOA *); +#define DS_FORCE_REDISCOVERY 1 + bool -get_logon_server (const char *domain, char *server, WCHAR *wserver) +get_logon_server (const char *domain, char *server, WCHAR *wserver, + bool rediscovery) { - WCHAR wdomain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; - NET_API_STATUS ret; + DWORD dret; + PDOMAIN_CONTROLLER_INFOA pci; + NET_API_STATUS nret; WCHAR *buf; DWORD size = INTERNET_MAX_HOST_NAME_LENGTH + 1; + WCHAR wdomain[size]; /* Empty domain is interpreted as local system */ if ((GetComputerName (server + 2, &size)) && @@ -226,18 +235,37 @@ get_logon_server (const char *domain, char *server, WCHAR *wserver) return true; } - /* Try to get the primary domain controller for the domain */ - sys_mbstowcs (wdomain, domain, INTERNET_MAX_HOST_NAME_LENGTH + 1); - if ((ret = NetGetDCName (NULL, wdomain, (LPBYTE *) &buf)) == STATUS_SUCCESS) + /* Try to get any available domain controller for this domain */ + dret = DsGetDcNameA (NULL, domain, NULL, NULL, + rediscovery ? DS_FORCE_REDISCOVERY : 0, &pci); + if (dret == ERROR_SUCCESS) { - sys_wcstombs (server, INTERNET_MAX_HOST_NAME_LENGTH + 1, buf); - if (wserver) - for (WCHAR *ptr1 = buf; (*wserver++ = *ptr1++);) - ; - NetApiBufferFree (buf); + strcpy (server, pci->DomainControllerName); + sys_mbstowcs (wserver, server, INTERNET_MAX_HOST_NAME_LENGTH + 1); + NetApiBufferFree (pci); + debug_printf ("DC: rediscovery: %d, server: %s", rediscovery, server); return true; } - __seterrno_from_win_error (ret); + else if (dret == ERROR_PROC_NOT_FOUND) + { + /* NT4 w/o DSClient */ + sys_mbstowcs (wdomain, domain, INTERNET_MAX_HOST_NAME_LENGTH + 1); + if (rediscovery) + nret = NetGetAnyDCName (NULL, wdomain, (LPBYTE *) &buf); + else + nret = NetGetDCName (NULL, wdomain, (LPBYTE *) &buf); + if (nret == NERR_Success) + { + sys_wcstombs (server, INTERNET_MAX_HOST_NAME_LENGTH + 1, buf); + if (wserver) + for (WCHAR *ptr1 = buf; (*wserver++ = *ptr1++);) + ; + NetApiBufferFree (buf); + debug_printf ("NT: rediscovery: %d, server: %s", rediscovery, server); + return true; + } + } + __seterrno_from_win_error (nret); return false; } @@ -473,7 +501,11 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps, grp_list += well_known_network_sid; if (sid_in_token_groups (my_grps, well_known_batch_sid)) grp_list += well_known_batch_sid; - if (sid_in_token_groups (my_grps, well_known_interactive_sid)) + /* This is a problem on 2K3 (only domain controllers?!?) which only + enables tools for selected special groups. A subauth token is + only NETWORK, but NETWORK has no access to these tools. Therefore + we always add INTERACTIVE here. */ + /*if (sid_in_token_groups (my_grps, well_known_interactive_sid))*/ grp_list += well_known_interactive_sid; if (sid_in_token_groups (my_grps, well_known_service_sid)) grp_list += well_known_service_sid; @@ -485,11 +517,13 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps, } if (get_ll (auth_luid) != 999LL) /* != SYSTEM_LUID */ { - char buf[64]; - __small_sprintf (buf, "S-1-5-5-%u-%u", auth_luid.HighPart, - auth_luid.LowPart); - grp_list += buf; - auth_pos = grp_list.count - 1; + for (DWORD i = 0; i < my_grps->GroupCount; ++i) + if (my_grps->Groups[i].Attributes & SE_GROUP_LOGON_ID) + { + grp_list += my_grps->Groups[i].Sid; + auth_pos = grp_list.count - 1; + break; + } } } @@ -511,7 +545,9 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw) grp_list += well_known_world_sid; grp_list += well_known_authenticated_users_sid; extract_nt_dom_user (pw, domain, user); - if (get_logon_server (domain, server, wserver)) + if (get_logon_server (domain, server, wserver, false) + && !get_user_groups (wserver, grp_list, user, domain) + && get_logon_server (domain, server, wserver, true)) get_user_groups (wserver, grp_list, user, domain); get_unix_group_sidlist (pw, grp_list); return get_user_local_groups (grp_list, usersid); @@ -780,7 +816,8 @@ done: } HANDLE -create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) +create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw, + HANDLE subauth_token) { NTSTATUS ret; LSA_HANDLE lsa = INVALID_HANDLE_VALUE; @@ -803,7 +840,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) TOKEN_STATISTICS stats; memcpy (source.SourceName, "Cygwin.1", 8); source.SourceIdentifier.HighPart = 0; - source.SourceIdentifier.LowPart = 0x0101; + source.SourceIdentifier.LowPart = (subauth_token ? 0x0102 : 0x0101); HANDLE token = INVALID_HANDLE_VALUE; HANDLE primary_token = INVALID_HANDLE_VALUE; @@ -824,33 +861,60 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) owner.Owner = usersid; /* Retrieve authentication id and group list from own process. */ - if (hProcToken) + HANDLE get_token; + if (subauth_token) + { + debug_printf ("get_token = subauth_token"); + get_token = subauth_token; + } + else + { + debug_printf ("get_token = hProcToken"); + get_token = hProcToken; + } + if (get_token) { /* Switching user context to SYSTEM doesn't inherit the authentication id of the user account running current process. */ if (usersid != well_known_system_sid) - if (!GetTokenInformation (hProcToken, TokenStatistics, + if (!GetTokenInformation (get_token, TokenStatistics, &stats, sizeof stats, &size)) debug_printf - ("GetTokenInformation(hProcToken, TokenStatistics), %E"); + ("GetTokenInformation(get_token, TokenStatistics), %E"); else auth_luid = stats.AuthenticationId; /* Retrieving current processes group list to be able to inherit some important well known group sids. */ - if (!GetTokenInformation (hProcToken, TokenGroups, NULL, 0, &size) && - GetLastError () != ERROR_INSUFFICIENT_BUFFER) - debug_printf ("GetTokenInformation(hProcToken, TokenGroups), %E"); + if (!GetTokenInformation (get_token, TokenGroups, NULL, 0, &size) + && GetLastError () != ERROR_INSUFFICIENT_BUFFER) + debug_printf ("GetTokenInformation(get_token, TokenGroups), %E"); else if (!(my_tok_gsids = (PTOKEN_GROUPS) malloc (size))) debug_printf ("malloc (my_tok_gsids) failed."); - else if (!GetTokenInformation (hProcToken, TokenGroups, my_tok_gsids, + else if (!GetTokenInformation (get_token, TokenGroups, my_tok_gsids, size, &size)) { - debug_printf ("GetTokenInformation(hProcToken, TokenGroups), %E"); + debug_printf ("GetTokenInformation(get_token, TokenGroups), %E"); free (my_tok_gsids); my_tok_gsids = NULL; } } + if (subauth_token) + { + if (!GetTokenInformation (subauth_token, TokenPrivileges, NULL, 0, &size) + && GetLastError () != ERROR_INSUFFICIENT_BUFFER) + debug_printf ("GetTokenInformation(subauth_token, TokenPrivileges), %E"); + else if (!(privs = (PTOKEN_PRIVILEGES) malloc (size))) + debug_printf ("malloc (privs) failed."); + else if (!GetTokenInformation (subauth_token, TokenPrivileges, privs, + size, &size)) + { + debug_printf ("GetTokenInformation(subauth_token, TokenPrivileges), %E"); + free (privs); + privs = NULL; + } + } + /* Create list of groups, the user is member in. */ int auth_pos; @@ -878,7 +942,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) new_tok_gsids->Groups[auth_pos].Attributes |= SE_GROUP_LOGON_ID; /* Retrieve list of privileges of that user. */ - if (!(privs = get_priv_list (lsa, usersid, tmp_gsids))) + if (!privs && !(privs = get_priv_list (lsa, usersid, tmp_gsids))) goto out; /* Let's be heroic... */ @@ -1299,7 +1363,7 @@ get_reg_security (HANDLE handle, security_descriptor &sd_ret) | OWNER_SECURITY_INFORMATION, sd_ret, &len); } - if (ret != STATUS_SUCCESS) + if (ret != ERROR_SUCCESS) { __seterrno (); return -1; -- cgit v1.2.3