This is the mail archive of the
cygwin-developers@sourceware.cygnus.com
mailing list for the Cygwin project.
ntsec-patch 14
- To: Chris Faylor <cgf at cygnus dot com>
- Subject: ntsec-patch 14
- From: Corinna Vinschen <corinna at vinschen dot de>
- Date: Tue, 05 Oct 1999 12:19:40 +0200
- CC: cygdev <cygwin-developers at sourceware dot cygnus dot com>
Hi!
I have patched ntsec so, that SIDs are used, that were previously
saved in /etc/passwd and /etc/group. This has following advantages:
- Correct working ntsec in domain environments.
- Non-login accounts (users _and_ groups) may get another name in
/etc/passwd and /etc/group files than their NT account name.
The new name is transparently used by applications (so chown,
chgrp, ls -l, etc. use them now),
e.g.:
root::500:513:...
instead of
administrator::500:513:...
No problem if running in console window,
BUT: If you need the account to login via telnet, ssh or similar
the login name _must_ be the NT user name.
- Cygwin UIDs and GIDs are now not necessarily the RID part of the
NT SID:
e.g.:
root::0:513:...
instead of
administrator::500:513:...
- As with U*X systems, UIDs and GIDs numbering scheme now don't
influence each other, so it's possible to have same Id's for a
user and a group,
e.g.:
/etc/passwd:
root::0:0:... # former 'administrator::500:544:...'
/etc/group:
root::0: # former 'administrators::544:'
Disadvantages, if you like to use the new features:
- /etc/passwd: The pw_gecos field has to contain a SID as the last
element of the comma separated list.
- /etc/group: The gr_passwd (former unused) has to contain a SID.
If no SIDs are found in /etc/passwd and /etc/group, ntsec acts like
the previous version.
The SIDs are saved in standard WinNT notation (S-1-5-32-...)
the utilities mkpasswd and mkgroup are patched, to support the new
format:
- mkpasswd and mkgroup generate SIDs by default. This behaviour may
be switched off by the new commandline option `-s' or `--no-sids'.
Moreover, mkpasswd generates the home dir path with the function
cygwin_conv_to_posix_path(), so mount points are used now. This
behaviour may be changed to `/cygdrive/<Driveletter>' by using the
commandline option `-m' or `--no-mount'.
Another new feature:
uinfo.cc(getlogin) now uses a function uinfo.cc(internal_getlogin)
that asks for the users domain and logon server by using the
netapi32 function `NetWkstaUserGetInfo()'. These infos are saved in
the pinfo structure `myself'. Later calls to security.cc(lookup_name)
use them to get correct account information.
Moreover, the users SID is retrieved and saved in myself, so many
calls to lookup_name while process creation are avoidable:
ntsec should be objectively faster than before.
Unfortunately, the used netapi32 functions are not implemented under
Win9X, so netapi32.dll is dynamically loaded only under NT and W2K.
Hint:
The calls to get_admin_sid(), get_world_sid() and get_system_sid()
are deleted from dcrt0.cc(dll_crt0_1). These functions don't fragment
the heap anymore. The new method of SID creation don't allocate
heap space dynamically.
IMPORTANT:
This patch needs the lm-header-patch, send at Oct 2, 1999.
Regards,
Corinna
ChangeLog:
==========
Thu Oct 5 11:45:00 1999 Corinna Vinschen <corinna@vinschen.de>
* dcrt0.cc (dll_crt0_1): Calls to get_WHOEVER_sid deleted.
Call to uinfo_init() moved to the end of the function.
* fhandler.cc (get_file_owner): Call to get_id_from_sid()
substituted by call to get_uid_from_sid().
(get_file_group): Call to get_id_from_sid() substituted by
call to get_gid_from_sid().
* fork.cc (fork): Copy new pinfo members to child.
* grp.cc (parse_grp): Rewritten. Saves gr_passwd and all
user names in gr_mem.
(read_etc_group): Variable `group_sem' avoids endless loop.
* passwd.cc (read_etc_passwd): Variable `passwd_sem' avoids
endless loop.
* security.cc (get_sid): New function to generate SID from
int values.
(get_ssid): New function to generate SID from string.
(get_pw_sid): New function to generate SID from pw_gecos
entry.
(get_gr_sid): New function to generate SID from gr_passwd
entry.
(get_admin_sid): Rewritten to avoid using heap space.
(get_system_sid): Ditto.
(get_creator_owner_sid): Ditto.
(get_world_sid): Ditto.
(get_id_from_sid): Tries to read SIDs from /etc/passwd or
/etc/group files before using RID or Lookup... function.
(legal_sid_type): New function.
(lookup_name): Rewritten to use the logon server info,
if any.
(alloc_sd): Tries to use SID from /etc/passwd and /etc/group
files before call to lookup_name().
(alloc_sd): New parameter for logon server.
(set_nt_attribute): Ditto.
(set_file_attribute): Ditto.
* shared.cc (sec_user): If SID is saved in myself, use it
instead of calling lookup_name().
* shared.h: struct pinfo got extended user information.
* spawn.cc (spawn_guts): method for forcing reread /etc
files changed.
(_spawnve): Copy new pinfo members to child.
* syscalls.cc (chown): Changed call to set_file_attribute().
(chmod): Ditto.
* uinfo.cc (internal_getlogin): New function.
(uinfo_init): Calls internal_getlogin() now.
(getlogin): Uses myself->username now.
* winsup.h: extern HANDLE netapi32_handle;
Changed prototypes for set_file_attribute(), lookup_name(),
get_id_from_sid().
New inline functions get_uid_from_sid() and get_gid_from_sid().
* utils/mkgroup.c: Adapted to the new ntsec features.
* utils/mkpasswd.c: Ditto.
ntsec-patch14.gz