From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <corinna@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2155)
	id 2622D3858C31; Tue, 27 Feb 2024 11:19:48 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2622D3858C31
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1709032788;
	bh=X324dC/alXuEC6AHHvEjnXqsL6bCsJy/YEOM4Qi0EWs=;
	h=From:To:Subject:Date:From;
	b=m44FgDPfNNw0DmkwYjGKMWfR5LBcNSNYV19LCQiYYzLhLx0O8kdFwxKqVxu/ulypt
	 fyYk0XEfp5S1kniEY4C3MVOe2fBaw9qiM2Iz06hw+II5XQxg+FZoZ4ovjVD5pTBH71
	 dDHo8QX1JJECZzUoQ+qf+dsmTizwLYf9uxoCm7Wo=
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Corinna Vinschen <corinna@sourceware.org>
To: cygwin-cvs@sourceware.org
Subject: [newlib-cygwin/cygwin-3_5-branch] Cygwin: passwd/group: drop Capability SIDs
X-Act-Checkin: newlib-cygwin
X-Git-Author: Corinna Vinschen <corinna@vinschen.de>
X-Git-Refname: refs/heads/cygwin-3_5-branch
X-Git-Oldrev: ec5ef42f545699ba02f53ce5b89b7dfc7e92d7ca
X-Git-Newrev: 271f187b7b59a6645e24e9c36b60ba31f6527556
Message-Id: <20240227111948.2622D3858C31@sourceware.org>
Date: Tue, 27 Feb 2024 11:19:48 +0000 (GMT)
List-Id: <cygwin-cvs.sourceware.org>

https://sourceware.org/git/gitweb.cgi?p=3Dnewlib-cygwin.git;h=3D271f187b7b5=
9a6645e24e9c36b60ba31f6527556

commit 271f187b7b59a6645e24e9c36b60ba31f6527556
Author:     Corinna Vinschen <corinna@vinschen.de>
AuthorDate: Tue Feb 20 17:25:23 2024 +0100
Commit:     Corinna Vinschen <corinna@vinschen.de>
CommitDate: Mon Feb 26 10:04:32 2024 +0100

    Cygwin: passwd/group: drop Capability SIDs
   =20
    Capability SIDs (S-1-15-3-...) have been introduced with
    Windows 10 1909.  They don't resolve with LookupAccountSid.
    We don't need them and they don't map gracefully into out
    POSIX account namespace.  Also, add code to make sure to
    filter them out *iff* they become resolvable at one point.
   =20
    While at it, slightly reorder code for non-resolving SIDs
    by authority values.
   =20
    Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

Diff:
---
 winsup/cygwin/uinfo.cc | 47 +++++++++++++++++++++++++++++------------------
 1 file changed, 29 insertions(+), 18 deletions(-)

diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc
index 21d729d5dcbc..acbc945e41d9 100644
--- a/winsup/cygwin/uinfo.cc
+++ b/winsup/cygwin/uinfo.cc
@@ -2624,9 +2624,15 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t=
 &arg, cyg_ldap *pldap)
 		  + (sid_sub_auth_rid (sid) & 0xff);
 #else
 	  if (sid_id_auth (sid) =3D=3D 15 /* SECURITY_APP_PACKAGE_AUTHORITY */)
-	    uid =3D 0x10000 + 0x100 * sid_id_auth (sid)
-		  + 0x10 * sid_sub_auth (sid, 0)
-		  + (sid_sub_auth_rid (sid) & 0xf);
+	    {
+	      /* Filter out all SIDs not referring to an App Package, for
+	         instance, Capability SIDs (S-1-15-3-...) */
+	      if (sid_sub_auth (sid, 0) !=3D SECURITY_APP_PACKAGE_BASE_RID)
+		return NULL;
+	      uid =3D 0x10000 + 0x100 * sid_id_auth (sid)
+		    + 0x10 * SECURITY_APP_PACKAGE_BASE_RID
+		    + (sid_sub_auth_rid (sid) & 0xf);
+	    }
 	  else if (sid_id_auth (sid) !=3D 5 /* SECURITY_NT_AUTHORITY */)
 	    uid =3D 0x10000 + 0x100 * sid_id_auth (sid)
 		  + (sid_sub_auth_rid (sid) & 0xff);
@@ -2682,21 +2688,8 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t=
 &arg, cyg_ldap *pldap)
       fully_qualified_name =3D true;
       acc_type =3D SidTypeUnknown;
     }
-  else if (sid_id_auth (sid) =3D=3D 12 && sid_sub_auth (sid, 0) =3D=3D 1)
-    {
-      /* Special AzureAD group SID which can't be resolved by
-         LookupAccountSid (ERROR_NONE_MAPPED).  This is only allowed
-	 as group entry, not as passwd entry. */
-      if (is_passwd ())
-	return NULL;
-      uid =3D gid =3D 0x1001;
-      wcpcpy (dom, L"AzureAD");
-      wcpcpy (name =3D namebuf, L"Group");
-      fully_qualified_name =3D true;
-      acc_type =3D SidTypeUnknown;
-    }
-  else if (sid_id_auth (sid) =3D=3D 5 &&
-	   sid_sub_auth (sid, 0) =3D=3D SECURITY_APPPOOL_ID_BASE_RID)
+  else if (sid_id_auth (sid) =3D=3D 5 /* SECURITY_NT_AUTHORITY */
+	   && sid_sub_auth (sid, 0) =3D=3D SECURITY_APPPOOL_ID_BASE_RID)
     {
       /* Special IIS APPPOOL group SID which can't be resolved by
          LookupAccountSid (ERROR_NONE_MAPPED).  This is only allowed
@@ -2728,6 +2721,24 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t=
 &arg, cyg_ldap *pldap)
 	}
       acc_type =3D SidTypeUnknown;
     }
+  else if (sid_id_auth (sid) =3D=3D 12 /* AzureAD ID */
+	   && sid_sub_auth (sid, 0) =3D=3D 1 /* Azure ID base RID */)
+    {
+      /* Special AzureAD group SID which can't be resolved by
+         LookupAccountSid (ERROR_NONE_MAPPED).  This is only allowed
+	 as group entry, not as passwd entry. */
+      if (is_passwd ())
+	return NULL;
+      uid =3D gid =3D 0x1001;
+      wcpcpy (dom, L"AzureAD");
+      wcpcpy (name =3D namebuf, L"Group");
+      fully_qualified_name =3D true;
+      acc_type =3D SidTypeUnknown;
+    }
+  else if (sid_id_auth (sid) =3D=3D 15 /* SECURITY_APP_PACKAGE_AUTHORITY */
+	   && sid_sub_auth (sid, 0) =3D=3D SECURITY_CAPABILITY_BASE_RID)
+    /* Filter out Capability SIDs */
+    return NULL;
   else if (sid_id_auth (sid) =3D=3D 22)
     {
       /* Samba UNIX Users/Groups