From: Roland Mainz <roland.mainz@nrubsig.org>
To: cygwin@cygwin.com
Subject: Re: Switching groups with newgrp - how to get the new group with |GetTokenInformation()| ?
Date: Fri, 23 Feb 2024 19:45:20 +0100 [thread overview]
Message-ID: <CAKAoaQ=kLW3houqanjcN9Qk1++BtgW-dNRiXjLYwCRTYEzoN=w@mail.gmail.com> (raw)
In-Reply-To: <Zdi-CnGX3CwWA0nl@calimero.vinschen.de>
On Fri, Feb 23, 2024 at 4:47 PM Corinna Vinschen via Cygwin
<cygwin@cygwin.com> wrote:
> On Feb 23 14:03, Roland Mainz via Cygwin wrote:
> > On Thu, Feb 22, 2024 at 8:11 PM Corinna Vinschen via Cygwin
> > <cygwin@cygwin.com> wrote:
> > > On Feb 22 18:38, Roland Mainz via Cygwin wrote:
> > > > If I switch the current user's group with /usr/bin/newgrp, how can a
> > > > (native) Win32 process use
> > > > |GetTokenInformation(GetCurrentThreadToken(), ...)| to find out which
> > > > group is the new "current group" (e.g. which |TokenInformationClass|
> > > > should I use) ?
> > >
> > > PSID sidbuf = (PSID) alloca (SECURITY_MAX_SID_SIZE);
> > > NTSTATUS status;
> > > ULONG size;
> > >
> > > status = NtQueryInformationToken (hProcToken, TokenPrimaryGroup,
> > > sidbuf, SECURITY_MAX_SID_SIZE,
> > > &size);
> >
> > Well, it works in the case of an "hello world" application, but if I
> > stuff that into the nfsd_daemon (NFSv4.1 ms-nfs41-client client
> > daemon) it always prints the default primary group, even if the
> > current thread should impersonate another user - or in this case even
> > the same user, but a different primary group (e.g. see
> > https://github.com/kofemann/ms-nfs41-client/blob/master/sys/nfs41_driver.c#L1367).
> >
> > Do you have any idea what is going wrong in this case ?
>
> Not sure about that. I'm not familiar with driver development under
> Windows.
Me neither, I'm still new to this whole Windows kernel stuff (coming
from SUN&Solaris engineering), but as we need a NFSv4 filesystem
client at work I'm basically forced at knifepoint to learn as fast as
I can... ;-/
> I'd expect that you get the token of the calling thread or, in
> this case, process as is.
I think it's the calling thread which makes the Win32 syscall, then
the MiniRedirector driver (nfs41_driver.sys) gets that security
context, and uses that to set the impersonation stuff when making the
upcall to the userland part (nfsd_debug.exe), so that daemon thread
can impersonate the caller.
> However, did you try this with a primary group SID being part of the
> token's supplementary group list, or did you try this with some
> arbitrary group SID?
I tried it like this:
1. On the Windows machine I created these two new groups:
---- snip ----
WINHOST1:~$ net localgroup cygwingrp1 /add
WINHOST1:~$ net localgroup cygwingrp2 /add
WINHOST1:~$ getent group cygwingrp1
cygwingrp1:S-1-5-21-3286904461-661230000-4220857270-1003:197611:
WINHOST1:~$ getent group cygwingrp2
cygwingrp2:S-1-5-21-3286904461-661230000-4220857270-1004:197612:
---- snip ----
On the Linux NFSv4 server side I added these groups too, and added
group membership for the matching user:
---- snip ----
root@DERFWNB4966:~# groupadd -g 197611 cygwingrp1
root@DERFWNB4966:~# groupadd -g 197612 cygwingrp2
root@DERFWNB4966:~# usermod -a -G cygwingrp1 roland_mainz
root@DERFWNB4966:~# usermod -a -G cygwingrp2 roland_mainz
---- snip ----
After that /usr/bin/chgrp on Cygwin works on the NFSv4.1 filesystem,
but if I do a /usr/bin/newgrp+/usr/bin/touch it will not create files
with that new group, because nfsd_debug.exe only sees the default
primary group, not the new primary group set by /usr/bin/newgrp.
Or is there a mistake - do I have to add the current user to the
Windows localgroup first somehow (like usermod on Linux) ?
> I toyed around a bit with this in user space, and it seems I
> misinterpreted the results when I added the newgrp(1) tool. The primary
> group in the token *must* be member of the token's supplementary group
> list.
Like on UNIX, right ?
> The fact that it looks like it works in Cygwin to set the pgrp to
> an arbitrary SID is apparently based on incorrect error handling.
>
> I will fix this in the next couple of days.
Thanks :-)
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz@nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 3992797
(;O/ \/ \O;)
next prev parent reply other threads:[~2024-02-23 18:45 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-22 17:38 Roland Mainz
2024-02-22 19:11 ` Corinna Vinschen
2024-02-23 13:03 ` Roland Mainz
2024-02-23 15:47 ` Corinna Vinschen
2024-02-23 18:45 ` Roland Mainz [this message]
2024-02-23 21:15 ` Dan Shelton
2024-02-24 13:11 ` Corinna Vinschen
2024-03-05 22:38 ` Dan Shelton
2024-03-06 13:01 ` Corinna Vinschen
2024-03-09 21:26 ` Glenn Strauss
2024-03-11 1:30 ` Dan Shelton
2024-03-11 3:49 ` Brian Inglis
2024-03-11 16:54 ` Corinna Vinschen
2024-03-11 1:28 ` Dan Shelton
2024-03-11 16:56 ` Corinna Vinschen
2024-04-19 23:44 ` Dan Shelton
2024-04-26 9:04 ` Andrey Repin
2024-02-24 16:57 ` Brian Inglis
2024-02-24 12:53 ` Corinna Vinschen
2024-02-24 14:38 ` Will all SIDs fit into |SECURITY_MAX_SID_SIZE| bytes ? / was: " Roland Mainz
2024-02-24 18:57 ` Corinna Vinschen
2024-02-25 21:04 ` Roland Mainz
2024-02-25 22:32 ` gs-cygwin.com
2024-02-26 4:17 ` gs-cygwin.com
2024-02-26 16:12 ` [EXTERNAL] " Lavrentiev, Anton (NIH/NLM/NCBI) [C]
2024-02-26 9:20 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKAoaQ=kLW3houqanjcN9Qk1++BtgW-dNRiXjLYwCRTYEzoN=w@mail.gmail.com' \
--to=roland.mainz@nrubsig.org \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).