public inbox for cygwin-cvs@sourceware.org
help / color / mirror / Atom feed
* [newlib-cygwin/cygwin-3_5-branch] Cygwin: passwd/group: drop Capability SIDs
@ 2024-02-27 11:19 Corinna Vinschen
0 siblings, 0 replies; only message in thread
From: Corinna Vinschen @ 2024-02-27 11:19 UTC (permalink / raw)
To: cygwin-cvs
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=271f187b7b59a6645e24e9c36b60ba31f6527556
commit 271f187b7b59a6645e24e9c36b60ba31f6527556
Author: Corinna Vinschen <corinna@vinschen.de>
AuthorDate: Tue Feb 20 17:25:23 2024 +0100
Commit: Corinna Vinschen <corinna@vinschen.de>
CommitDate: Mon Feb 26 10:04:32 2024 +0100
Cygwin: passwd/group: drop Capability SIDs
Capability SIDs (S-1-15-3-...) have been introduced with
Windows 10 1909. They don't resolve with LookupAccountSid.
We don't need them and they don't map gracefully into out
POSIX account namespace. Also, add code to make sure to
filter them out *iff* they become resolvable at one point.
While at it, slightly reorder code for non-resolving SIDs
by authority values.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diff:
---
winsup/cygwin/uinfo.cc | 47 +++++++++++++++++++++++++++++------------------
1 file changed, 29 insertions(+), 18 deletions(-)
diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc
index 21d729d5dcbc..acbc945e41d9 100644
--- a/winsup/cygwin/uinfo.cc
+++ b/winsup/cygwin/uinfo.cc
@@ -2624,9 +2624,15 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
+ (sid_sub_auth_rid (sid) & 0xff);
#else
if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */)
- uid = 0x10000 + 0x100 * sid_id_auth (sid)
- + 0x10 * sid_sub_auth (sid, 0)
- + (sid_sub_auth_rid (sid) & 0xf);
+ {
+ /* Filter out all SIDs not referring to an App Package, for
+ instance, Capability SIDs (S-1-15-3-...) */
+ if (sid_sub_auth (sid, 0) != SECURITY_APP_PACKAGE_BASE_RID)
+ return NULL;
+ uid = 0x10000 + 0x100 * sid_id_auth (sid)
+ + 0x10 * SECURITY_APP_PACKAGE_BASE_RID
+ + (sid_sub_auth_rid (sid) & 0xf);
+ }
else if (sid_id_auth (sid) != 5 /* SECURITY_NT_AUTHORITY */)
uid = 0x10000 + 0x100 * sid_id_auth (sid)
+ (sid_sub_auth_rid (sid) & 0xff);
@@ -2682,21 +2688,8 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
fully_qualified_name = true;
acc_type = SidTypeUnknown;
}
- else if (sid_id_auth (sid) == 12 && sid_sub_auth (sid, 0) == 1)
- {
- /* Special AzureAD group SID which can't be resolved by
- LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed
- as group entry, not as passwd entry. */
- if (is_passwd ())
- return NULL;
- uid = gid = 0x1001;
- wcpcpy (dom, L"AzureAD");
- wcpcpy (name = namebuf, L"Group");
- fully_qualified_name = true;
- acc_type = SidTypeUnknown;
- }
- else if (sid_id_auth (sid) == 5 &&
- sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID)
+ else if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
+ && sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID)
{
/* Special IIS APPPOOL group SID which can't be resolved by
LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed
@@ -2728,6 +2721,24 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
}
acc_type = SidTypeUnknown;
}
+ else if (sid_id_auth (sid) == 12 /* AzureAD ID */
+ && sid_sub_auth (sid, 0) == 1 /* Azure ID base RID */)
+ {
+ /* Special AzureAD group SID which can't be resolved by
+ LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed
+ as group entry, not as passwd entry. */
+ if (is_passwd ())
+ return NULL;
+ uid = gid = 0x1001;
+ wcpcpy (dom, L"AzureAD");
+ wcpcpy (name = namebuf, L"Group");
+ fully_qualified_name = true;
+ acc_type = SidTypeUnknown;
+ }
+ else if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */
+ && sid_sub_auth (sid, 0) == SECURITY_CAPABILITY_BASE_RID)
+ /* Filter out Capability SIDs */
+ return NULL;
else if (sid_id_auth (sid) == 22)
{
/* Samba UNIX Users/Groups
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-02-27 11:19 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-27 11:19 [newlib-cygwin/cygwin-3_5-branch] Cygwin: passwd/group: drop Capability SIDs Corinna Vinschen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).