From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io1-f44.google.com (mail-io1-f44.google.com [209.85.166.44]) by sourceware.org (Postfix) with ESMTPS id 9F3D73858CD1 for ; Fri, 23 Feb 2024 18:45:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9F3D73858CD1 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=nrubsig.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 9F3D73858CD1 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=209.85.166.44 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708713950; cv=none; b=DKiE67LNdopoFroK8vd+VCFQUEhOPPVeV5ntHM3TAxoVssQTGhll6ImBKw0j5rUArufE2XG0O+a9V1ihkodym/+N8mZCOVrggWKDJTEjKlq9TcQYP9JuW5f1cPXI8ILUTFhsfGF0pLiFktzxpStEfdMz97kuGqpIraoS3A0gKAM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708713950; c=relaxed/simple; bh=wFXu6rInOmxeDMhWQQEMC9VwzqTIxXrS0iuUaI7OCNM=; h=MIME-Version:From:Date:Message-ID:Subject:To; b=PH0Ag2lowNwsLI8QCqY9gAHov8Q7H1hv9oCLjG3FUyaVujrxykYC4wtIz/DTPnoXh7fASw/Jrrtu0zOwhc+4lLZFinDnNea6UnA6HGRu8bDUpqaC0dLyer79fkHygUA3bcgbtiDDdT6k7irktFrWhYuV5s7aBimQusHnOhaGybs= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-io1-f44.google.com with SMTP id ca18e2360f4ac-7c48e13e0d7so56794639f.1 for ; Fri, 23 Feb 2024 10:45:48 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708713947; x=1709318747; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H1sTrW3ZvKJteSfGQOdkGu12ZnHmJKFLihK71MJCKJw=; b=gNHG6LSEA2G7RGbJ3hUqbxd1C9deVAeA9n5MfifjVIWEniNeNFXKE/0QyLqTyiZZRX 5b72YvzTXtipuRXByxgfjEXQQvrWX8LjDx7k+uJEdKsfXhxsvQmFch2vZL6RcX2zdO3d /vG3RnfPS4gXHYclzxFUWUlfzmEz8FFg2AmrifXcbE63PP48LqqAKGX1+ojMBTFyCNPO TXuZsl4ZWmwEsdEdAWmyvjIasR0+lEgY5qWzMGtiVJo9ipoLgypZKMN8wmohBqsnJI9L ivldQXl3Zsw0J11SDnXiZQGovowzt1HPQKrEGd/YwTijwgbjf7KMGhL4/0m+4hFGYySj tyLQ== X-Gm-Message-State: AOJu0YzF/uXQj0eZk8oJWxK4bNEt/7fO/e7pJ470PnvR1rfbsa3qU2MF r8lY7Sn7nKd92sBq2MxpTnPYaqy8FEU97y3imnSLd/RJpSfOwPrR2v3AfBeFShAE2fPNPQjjZWk NvApWE/l3Ct2lqLt3mFe+Y/DKh8oLnsfLi5k= X-Google-Smtp-Source: AGHT+IGIbCFjhnNdxzUiZckNaIZoGDiyd1p9m5lKdCGx5UHqfBp4imoOQTYBR/hMaqwv8FJQ9xc54GHaf8cEmG5AlMg= X-Received: by 2002:a6b:7a41:0:b0:7c7:28de:72f6 with SMTP id k1-20020a6b7a41000000b007c728de72f6mr743536iop.7.1708713947195; Fri, 23 Feb 2024 10:45:47 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Roland Mainz Date: Fri, 23 Feb 2024 19:45:20 +0100 Message-ID: Subject: Re: Switching groups with newgrp - how to get the new group with |GetTokenInformation()| ? To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Fri, Feb 23, 2024 at 4:47=E2=80=AFPM Corinna Vinschen via Cygwin wrote: > On Feb 23 14:03, Roland Mainz via Cygwin wrote: > > On Thu, Feb 22, 2024 at 8:11=E2=80=AFPM Corinna Vinschen via Cygwin > > wrote: > > > On Feb 22 18:38, Roland Mainz via Cygwin wrote: > > > > If I switch the current user's group with /usr/bin/newgrp, how can = a > > > > (native) Win32 process use > > > > |GetTokenInformation(GetCurrentThreadToken(), ...)| to find out whi= ch > > > > group is the new "current group" (e.g. which |TokenInformationClass= | > > > > should I use) ? > > > > > > PSID sidbuf =3D (PSID) alloca (SECURITY_MAX_SID_SIZE); > > > NTSTATUS status; > > > ULONG size; > > > > > > status =3D NtQueryInformationToken (hProcToken, TokenPrimaryGroup, > > > sidbuf, SECURITY_MAX_SID_SIZE, > > > &size); > > > > Well, it works in the case of an "hello world" application, but if I > > stuff that into the nfsd_daemon (NFSv4.1 ms-nfs41-client client > > daemon) it always prints the default primary group, even if the > > current thread should impersonate another user - or in this case even > > the same user, but a different primary group (e.g. see > > https://github.com/kofemann/ms-nfs41-client/blob/master/sys/nfs41_drive= r.c#L1367). > > > > Do you have any idea what is going wrong in this case ? > > Not sure about that. I'm not familiar with driver development under > Windows. Me neither, I'm still new to this whole Windows kernel stuff (coming from SUN&Solaris engineering), but as we need a NFSv4 filesystem client at work I'm basically forced at knifepoint to learn as fast as I can... ;-/ > I'd expect that you get the token of the calling thread or, in > this case, process as is. I think it's the calling thread which makes the Win32 syscall, then the MiniRedirector driver (nfs41_driver.sys) gets that security context, and uses that to set the impersonation stuff when making the upcall to the userland part (nfsd_debug.exe), so that daemon thread can impersonate the caller. > However, did you try this with a primary group SID being part of the > token's supplementary group list, or did you try this with some > arbitrary group SID? I tried it like this: 1. On the Windows machine I created these two new groups: ---- snip ---- WINHOST1:~$ net localgroup cygwingrp1 /add WINHOST1:~$ net localgroup cygwingrp2 /add WINHOST1:~$ getent group cygwingrp1 cygwingrp1:S-1-5-21-3286904461-661230000-4220857270-1003:197611: WINHOST1:~$ getent group cygwingrp2 cygwingrp2:S-1-5-21-3286904461-661230000-4220857270-1004:197612: ---- snip ---- On the Linux NFSv4 server side I added these groups too, and added group membership for the matching user: ---- snip ---- root@DERFWNB4966:~# groupadd -g 197611 cygwingrp1 root@DERFWNB4966:~# groupadd -g 197612 cygwingrp2 root@DERFWNB4966:~# usermod -a -G cygwingrp1 roland_mainz root@DERFWNB4966:~# usermod -a -G cygwingrp2 roland_mainz ---- snip ---- After that /usr/bin/chgrp on Cygwin works on the NFSv4.1 filesystem, but if I do a /usr/bin/newgrp+/usr/bin/touch it will not create files with that new group, because nfsd_debug.exe only sees the default primary group, not the new primary group set by /usr/bin/newgrp. Or is there a mistake - do I have to add the current user to the Windows localgroup first somehow (like usermod on Linux) ? > I toyed around a bit with this in user space, and it seems I > misinterpreted the results when I added the newgrp(1) tool. The primary > group in the token *must* be member of the token's supplementary group > list. Like on UNIX, right ? > The fact that it looks like it works in Cygwin to set the pgrp to > an arbitrary SID is apparently based on incorrect error handling. > > I will fix this in the next couple of days. Thanks :-) ---- Bye, Roland --=20 __ . . __ (o.\ \/ /.o) roland.mainz@nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /=3D=3D\ O\ TEL +49 641 3992797 (;O/ \/ \O;)