From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) by sourceware.org (Postfix) with ESMTPS id 4B2FE38582A1 for ; Fri, 23 Feb 2024 21:15:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4B2FE38582A1 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 4B2FE38582A1 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2a00:1450:4864:20::22d ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708722947; cv=none; b=R5fphEaJ25ARDnYZjtrL5vstaLsx7Y8u6O2PFySiGwxrinzaeqqt6OkQxl/+C89MO9Odxim1IoDJvgsYxrHSs0xtdU/vE5lXbctUR0hkYrPxhfalaHB8RvGgGBEakohUkyqpknThSjGJGqcwg6yvjTqSwG5f61ja9bkcsgymNz8= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708722947; c=relaxed/simple; bh=V8mFcIkOJ/gHOl3b++B11TKrK8xCFwvojhvpXuYu5do=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=lSAvODWzn5/hsikU/FYfwsfDKhgxc5t2Mh4SGzuvwA2h9XKIFagtdGvtQfeee5qBWadrr/IJVUeWhHrwicJQXGy+p+kcCvY1pjCWuxx+yFoCTa0Ut5L2cyHeauVouD01UWH2nC8z8X219tthkZ7pOstml1LuDRh0IjvAVKBfR74= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-2d24a727f78so17908961fa.0 for ; Fri, 23 Feb 2024 13:15:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708722936; x=1709327736; darn=cygwin.com; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=8icTFoXaZAn3gIunsbxuyMSzauPG9Ycccg0DTI6ehkI=; b=BL1TO/7pjXkBEdNg6Gp2XCqPOhPqgKyYm3CkLEK+Ikx2Rq588gxRk+M9lf/zVZZQ62 ClPmAjoOPsVCtFUzYLaHTE4X7pdf57kyBNF2Nt4TQlfchj2NMYBb8C2B2N/UXD1mg3NX ZOblB6p0d5JfPQ/NDZzs1vrWbcucIJWfueXUHlXBRV3SSIeBjj3C6RQX05d6+k/UJ7Vf +KQxmwbztfzLve4o+n6hfLNSSVUlkPgzILIalFKUYNcHwc8myEuCBFvSgHFrSMC3vksd mNLS3uMjjEem25laEK4NSzZxAEqb1WLAd2/AcdAXdBtIvKA9BrWmlU7r7DFKTvspTRm/ iSlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708722936; x=1709327736; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8icTFoXaZAn3gIunsbxuyMSzauPG9Ycccg0DTI6ehkI=; b=teJ71TJWS8yWiMfJn6952kStS/O2w1EPZFe6ieZfZpibAwd2wfNmE+HAGN1wz9ypev gjSScMNJkYjoaVD8RwhaKoPWXRxmAmfDzqSshqOYYq8vhJYNIhi5RguSeG/02TrGcvMC /brxuGk6xZq+IhkH6Rt8pcBD6NJ4S8KxvI8qbNUDNa6uXrLUMQrqQRHCAMAH6aJZRP3q AGh+CkUecmdURhilCKXSssbqv0Fc7oUunqjudpJvWEoV/kthyA72H+6/NxQrYeDp5n4m 9+aAcEMyX+S4o3OLpgNgHGs4j4zOEoeArM1dwOlksjed2HJdzqaKqMzt4rQbk8OI4IGx u5Ig== X-Gm-Message-State: AOJu0YxKb3CqPT415xcQIeDomamX79HYmCxYa3HlEANfPEzo0cLNm0A9 lTJhP3okbvpUuWwJ1gyASu5dJ66jfNv+8QEGd9aOqRhvq8cr6gDqLknF5a8X01qlEDNEfqhiDgZ HJbcj2SAd7kwiq2vmrN0p3cFuM+jviSVuigM= X-Google-Smtp-Source: AGHT+IHAhBfuSeZE+kZqBDKZNmlHJoq90YyAbt1NlelZcZW3ECJN2Ma+d6UQbnMKYob5YrVCqx9pGCRniO0Vr4RuGyw= X-Received: by 2002:a2e:a265:0:b0:2d2:74ee:bec1 with SMTP id k5-20020a2ea265000000b002d274eebec1mr189492ljm.48.1708722936198; Fri, 23 Feb 2024 13:15:36 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dan Shelton Date: Fri, 23 Feb 2024 22:15:09 +0100 Message-ID: Subject: Re: Switching groups with newgrp - how to get the new group with |GetTokenInformation()| ? To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Fri, 23 Feb 2024 at 19:45, Roland Mainz via Cygwin w= rote: > > On Fri, Feb 23, 2024 at 4:47=E2=80=AFPM Corinna Vinschen via Cygwin > wrote: > > On Feb 23 14:03, Roland Mainz via Cygwin wrote: > > > On Thu, Feb 22, 2024 at 8:11=E2=80=AFPM Corinna Vinschen via Cygwin > > > wrote: > > > > On Feb 22 18:38, Roland Mainz via Cygwin wrote: > > > > > If I switch the current user's group with /usr/bin/newgrp, how ca= n a > > > > > (native) Win32 process use > > > > > |GetTokenInformation(GetCurrentThreadToken(), ...)| to find out w= hich > > > > > group is the new "current group" (e.g. which |TokenInformationCla= ss| > > > > > should I use) ? > > > > > > > > PSID sidbuf =3D (PSID) alloca (SECURITY_MAX_SID_SIZE); > > > > NTSTATUS status; > > > > ULONG size; > > > > > > > > status =3D NtQueryInformationToken (hProcToken, TokenPrimaryGroup= , > > > > sidbuf, SECURITY_MAX_SID_SIZE, > > > > &size); > > > > > > Well, it works in the case of an "hello world" application, but if I > > > stuff that into the nfsd_daemon (NFSv4.1 ms-nfs41-client client > > > daemon) it always prints the default primary group, even if the > > > current thread should impersonate another user - or in this case even > > > the same user, but a different primary group (e.g. see > > > https://github.com/kofemann/ms-nfs41-client/blob/master/sys/nfs41_dri= ver.c#L1367). > > > > > > Do you have any idea what is going wrong in this case ? > > > > Not sure about that. I'm not familiar with driver development under > > Windows. > > Me neither, I'm still new to this whole Windows kernel stuff (coming > from SUN&Solaris engineering), but as we need a NFSv4 filesystem > client at work I'm basically forced at knifepoint to learn as fast as > I can... ;-/ > > > I'd expect that you get the token of the calling thread or, in > > this case, process as is. > > I think it's the calling thread which makes the Win32 syscall, then > the MiniRedirector driver (nfs41_driver.sys) gets that security > context, and uses that to set the impersonation stuff when making the > upcall to the userland part (nfsd_debug.exe), so that daemon thread > can impersonate the caller. > > > However, did you try this with a primary group SID being part of the > > token's supplementary group list, or did you try this with some > > arbitrary group SID? > > I tried it like this: > 1. On the Windows machine I created these two new groups: > ---- snip ---- > WINHOST1:~$ net localgroup cygwingrp1 /add > WINHOST1:~$ net localgroup cygwingrp2 /add > WINHOST1:~$ getent group cygwingrp1 > cygwingrp1:S-1-5-21-3286904461-661230000-4220857270-1003:197611: > WINHOST1:~$ getent group cygwingrp2 > cygwingrp2:S-1-5-21-3286904461-661230000-4220857270-1004:197612: > ---- snip ---- > > On the Linux NFSv4 server side I added these groups too, and added > group membership for the matching user: > ---- snip ---- > root@DERFWNB4966:~# groupadd -g 197611 cygwingrp1 > root@DERFWNB4966:~# groupadd -g 197612 cygwingrp2 > root@DERFWNB4966:~# usermod -a -G cygwingrp1 roland_mainz > root@DERFWNB4966:~# usermod -a -G cygwingrp2 roland_mainz > ---- snip ---- > > After that /usr/bin/chgrp on Cygwin works on the NFSv4.1 filesystem, > but if I do a /usr/bin/newgrp+/usr/bin/touch it will not create files > with that new group, because nfsd_debug.exe only sees the default > primary group, not the new primary group set by /usr/bin/newgrp. > > Or is there a mistake - do I have to add the current user to the > Windows localgroup first somehow (like usermod on Linux) ? Yes, there is a mistake. You have to add the intended user to that group. Example: net localgroup mywingrp1 mywinuser44 /add HOWEVER, there is another Cygwin bug: "getent group mywingrp1" does not list any group members, even after "net localgroup mywingrp1 mywinuser44 /add", which is a POSIX violation. Dan --=20 Dan Shelton - Cluster Specialist Win/Lin/Bsd