This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Corinna or Pierre please comment? [jason@tishler.net: Re: setuid() problem when disconnected from PDC under 1.3.12-2]


> ----- Forwarded message from Jason Tishler <jason@tishler.net> -----
> 2305210 2457011 [main] setuid 2672 seterrno_from_win_error: ../../../../src/winsup/cygwin/security.cc:278 windows error 2453
>                                         ^^^^
>                                         ****
>   384 2457395 [main] setuid 2672 geterrno_from_win_error: unknown windows error 2453, setting errno to 13
> 
> Note that the Windows error 2453 corresponds to NERR_DCNotFound.
> [...]
>   if ((ret = NetGetDCName (NULL, wdomain, (LPBYTE *) &buf)) == STATUS_SUCCESS)

Since 1.3.10 this function asked the Lsa for the PDC but that returned
the DC of the machine rather than the DC of the account.  So that would
have been correct only if the machine and the user are in the same
domain.  Another difference is, if the user exists as a local and as a
domain account, the old way to do things would have returned information
for the local account when the DC wasn't available while the current
implementation returns an error now.

So, basically the current implementation is more correct than the old
implementation.  I don't see how to make it better.  Except if you're
willing to turn down the need for the correct group membership when
logging in to the machine.  If we ignore the error, you could get a
user token with all groups mentioned as primary or supplemantary 
group of your account in /etc/passwd and /etc/group.  What I mean is,
the current code is basically creating the group list in your token
this way:

  if (!GetPDC())
    FAIL;
  if (!get_domain_groups_of_account())
    FAIL;
  if (!get_local_groups_of_account())
    FAIL;
  if (!has_primary_group)        <- from setgid()
    get_primary_group_of_account();
  get_supplementary_groups_from_etc_group();

We *could* change it this way to succeed more often:

  GetPDC();
  if (has_pdc)
    {
      get_domain_groups_of_account();
      get_local_groups_of_account();
      if (!has_primary_group)
	get_primary_group_of_account();
    }
  if (!has_primary_group)
    get_primary_group_from_etc_passwd();
  get_supplementary_groups_from_etc_group();


That could leave you with a somewhat restricted token, though.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]