This is the mail archive of the cygwin-developers@sourceware.cygnus.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

ntsec-patch 14


Hi!

I have patched ntsec so, that SIDs are used, that were previously
saved in /etc/passwd and /etc/group. This has following advantages:

- Correct working ntsec in domain environments.

- Non-login accounts (users _and_ groups) may get another name in
  /etc/passwd and /etc/group files than their NT account name.
  The new name is transparently used by applications (so chown,
  chgrp, ls -l, etc. use them now),
  e.g.:
	root::500:513:...
  instead of
	administrator::500:513:...

  No problem if running in console window,
  BUT: If you need the account to login via telnet, ssh or similar
  the login name _must_ be the NT user name.

- Cygwin UIDs and GIDs are now not necessarily the RID part of the
  NT SID:
  e.g.:
	root::0:513:...
  instead of
	administrator::500:513:...
	
- As with U*X systems, UIDs and GIDs numbering scheme now don't
  influence each other, so it's possible to have same Id's for a
  user and a group,
  e.g.:
	/etc/passwd:
	root::0:0:...		# former 'administrator::500:544:...'

	/etc/group:
	root::0:		# former 'administrators::544:'

Disadvantages, if you like to use the new features:
- /etc/passwd: The pw_gecos field has to contain a SID as the last
  element of the comma separated list.
- /etc/group: The gr_passwd (former unused) has to contain a SID.

If no SIDs are found in /etc/passwd and /etc/group, ntsec acts like
the previous version.

The SIDs are saved in standard WinNT notation (S-1-5-32-...)
the utilities mkpasswd and mkgroup are patched, to support the new
format:

- mkpasswd and mkgroup generate SIDs by default. This behaviour may
  be switched off by the new commandline option `-s' or `--no-sids'.

Moreover, mkpasswd generates the home dir path with the function
cygwin_conv_to_posix_path(), so mount points are used now. This
behaviour may be changed to `/cygdrive/<Driveletter>' by using the
commandline option `-m' or `--no-mount'.

Another new feature:

uinfo.cc(getlogin) now uses a function uinfo.cc(internal_getlogin)
that asks for the users domain and logon server by using the
netapi32 function `NetWkstaUserGetInfo()'. These infos are saved in
the pinfo structure `myself'. Later calls to security.cc(lookup_name)
use them to get correct account information.
Moreover, the users SID is retrieved and saved in myself, so many
calls to lookup_name while process creation are avoidable:
ntsec should be objectively faster than before.
Unfortunately, the used netapi32 functions are not implemented under
Win9X, so netapi32.dll is dynamically loaded only under NT and W2K.

Hint:
The calls to get_admin_sid(), get_world_sid() and get_system_sid()
are deleted from dcrt0.cc(dll_crt0_1). These functions don't fragment
the heap anymore. The new method of SID creation don't allocate
heap space dynamically.

IMPORTANT:
This patch needs the lm-header-patch, send at Oct 2, 1999.

Regards,
Corinna


ChangeLog:
==========

Thu Oct 5 11:45:00 1999  Corinna Vinschen  <corinna@vinschen.de>

	* dcrt0.cc (dll_crt0_1): Calls to get_WHOEVER_sid deleted.
	Call to uinfo_init() moved to the end of the function.
	* fhandler.cc (get_file_owner): Call to get_id_from_sid()
	substituted by call to get_uid_from_sid().
	(get_file_group): Call to get_id_from_sid() substituted by
	call to get_gid_from_sid().
	* fork.cc (fork): Copy new pinfo members to child.
	* grp.cc (parse_grp): Rewritten. Saves gr_passwd and all
	user names in gr_mem.
	(read_etc_group): Variable `group_sem' avoids endless loop.
	* passwd.cc (read_etc_passwd): Variable `passwd_sem' avoids
	endless loop.
	* security.cc (get_sid): New function to generate SID from
	int values.
	(get_ssid): New function to generate SID from string.
	(get_pw_sid): New function to generate SID from pw_gecos
	entry.
	(get_gr_sid): New function to generate SID from gr_passwd
	entry.
	(get_admin_sid): Rewritten to avoid using heap space.
	(get_system_sid): Ditto.
	(get_creator_owner_sid): Ditto.
	(get_world_sid): Ditto.
	(get_id_from_sid): Tries to read SIDs from /etc/passwd or
	/etc/group files before using RID or Lookup... function.
	(legal_sid_type): New function.
	(lookup_name): Rewritten to use the logon server info,
	if any.
	(alloc_sd): Tries to use SID from /etc/passwd and /etc/group
	files before call to lookup_name().
	(alloc_sd): New parameter for logon server.
	(set_nt_attribute): Ditto.
	(set_file_attribute): Ditto.
	* shared.cc (sec_user): If SID is saved in myself, use it
	instead of calling lookup_name().
	* shared.h: struct pinfo got extended user information.
	* spawn.cc (spawn_guts): method for forcing reread /etc
	files changed.
	(_spawnve): Copy new pinfo members to child.
	* syscalls.cc (chown): Changed call to set_file_attribute().
	(chmod): Ditto.
	* uinfo.cc (internal_getlogin): New function.
	(uinfo_init): Calls internal_getlogin() now.
	(getlogin): Uses myself->username now.
	* winsup.h: extern HANDLE netapi32_handle;
	Changed prototypes for set_file_attribute(), lookup_name(),
	get_id_from_sid().
	New inline functions get_uid_from_sid() and get_gid_from_sid().
	* utils/mkgroup.c: Adapted to the new ntsec features.
	* utils/mkpasswd.c: Ditto.

ntsec-patch14.gz


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]