public inbox for cygwin-cvs@sourceware.org help / color / mirror / Atom feed
From: Corinna Vinschen <corinna@sourceware.org> To: cygwin-cvs@sourceware.org Subject: [newlib-cygwin/cygwin-3_5-branch] Cygwin: passwd/group: drop Capability SIDs Date: Tue, 27 Feb 2024 11:19:48 +0000 (GMT) [thread overview] Message-ID: <20240227111948.2622D3858C31@sourceware.org> (raw) https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=271f187b7b59a6645e24e9c36b60ba31f6527556 commit 271f187b7b59a6645e24e9c36b60ba31f6527556 Author: Corinna Vinschen <corinna@vinschen.de> AuthorDate: Tue Feb 20 17:25:23 2024 +0100 Commit: Corinna Vinschen <corinna@vinschen.de> CommitDate: Mon Feb 26 10:04:32 2024 +0100 Cygwin: passwd/group: drop Capability SIDs Capability SIDs (S-1-15-3-...) have been introduced with Windows 10 1909. They don't resolve with LookupAccountSid. We don't need them and they don't map gracefully into out POSIX account namespace. Also, add code to make sure to filter them out *iff* they become resolvable at one point. While at it, slightly reorder code for non-resolving SIDs by authority values. Signed-off-by: Corinna Vinschen <corinna@vinschen.de> Diff: --- winsup/cygwin/uinfo.cc | 47 +++++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc index 21d729d5dcbc..acbc945e41d9 100644 --- a/winsup/cygwin/uinfo.cc +++ b/winsup/cygwin/uinfo.cc @@ -2624,9 +2624,15 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) + (sid_sub_auth_rid (sid) & 0xff); #else if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */) - uid = 0x10000 + 0x100 * sid_id_auth (sid) - + 0x10 * sid_sub_auth (sid, 0) - + (sid_sub_auth_rid (sid) & 0xf); + { + /* Filter out all SIDs not referring to an App Package, for + instance, Capability SIDs (S-1-15-3-...) */ + if (sid_sub_auth (sid, 0) != SECURITY_APP_PACKAGE_BASE_RID) + return NULL; + uid = 0x10000 + 0x100 * sid_id_auth (sid) + + 0x10 * SECURITY_APP_PACKAGE_BASE_RID + + (sid_sub_auth_rid (sid) & 0xf); + } else if (sid_id_auth (sid) != 5 /* SECURITY_NT_AUTHORITY */) uid = 0x10000 + 0x100 * sid_id_auth (sid) + (sid_sub_auth_rid (sid) & 0xff); @@ -2682,21 +2688,8 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) fully_qualified_name = true; acc_type = SidTypeUnknown; } - else if (sid_id_auth (sid) == 12 && sid_sub_auth (sid, 0) == 1) - { - /* Special AzureAD group SID which can't be resolved by - LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed - as group entry, not as passwd entry. */ - if (is_passwd ()) - return NULL; - uid = gid = 0x1001; - wcpcpy (dom, L"AzureAD"); - wcpcpy (name = namebuf, L"Group"); - fully_qualified_name = true; - acc_type = SidTypeUnknown; - } - else if (sid_id_auth (sid) == 5 && - sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID) + else if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */ + && sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID) { /* Special IIS APPPOOL group SID which can't be resolved by LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed @@ -2728,6 +2721,24 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) } acc_type = SidTypeUnknown; } + else if (sid_id_auth (sid) == 12 /* AzureAD ID */ + && sid_sub_auth (sid, 0) == 1 /* Azure ID base RID */) + { + /* Special AzureAD group SID which can't be resolved by + LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed + as group entry, not as passwd entry. */ + if (is_passwd ()) + return NULL; + uid = gid = 0x1001; + wcpcpy (dom, L"AzureAD"); + wcpcpy (name = namebuf, L"Group"); + fully_qualified_name = true; + acc_type = SidTypeUnknown; + } + else if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */ + && sid_sub_auth (sid, 0) == SECURITY_CAPABILITY_BASE_RID) + /* Filter out Capability SIDs */ + return NULL; else if (sid_id_auth (sid) == 22) { /* Samba UNIX Users/Groups
reply other threads:[~2024-02-27 11:19 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20240227111948.2622D3858C31@sourceware.org \ --to=corinna@sourceware.org \ --cc=cygwin-cvs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).