From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: Switching groups with newgrp - how to get the new group with |GetTokenInformation()| ?
Date: Fri, 23 Feb 2024 16:47:22 +0100 [thread overview]
Message-ID: <Zdi-CnGX3CwWA0nl@calimero.vinschen.de> (raw)
In-Reply-To: <CAKAoaQ=rCwVHnHAqfd5C3kC45GPE4ZHbbgCWrdM64sojLMuMyA@mail.gmail.com>
On Feb 23 14:03, Roland Mainz via Cygwin wrote:
> On Thu, Feb 22, 2024 at 8:11 PM Corinna Vinschen via Cygwin
> <cygwin@cygwin.com> wrote:
> > On Feb 22 18:38, Roland Mainz via Cygwin wrote:
> > > If I switch the current user's group with /usr/bin/newgrp, how can a
> > > (native) Win32 process use
> > > |GetTokenInformation(GetCurrentThreadToken(), ...)| to find out which
> > > group is the new "current group" (e.g. which |TokenInformationClass|
> > > should I use) ?
> >
> > PSID sidbuf = (PSID) alloca (SECURITY_MAX_SID_SIZE);
> > NTSTATUS status;
> > ULONG size;
> >
> > status = NtQueryInformationToken (hProcToken, TokenPrimaryGroup,
> > sidbuf, SECURITY_MAX_SID_SIZE,
> > &size);
>
> Well, it works in the case of an "hello world" application, but if I
> stuff that into the nfsd_daemon (NFSv4.1 ms-nfs41-client client
> daemon) it always prints the default primary group, even if the
> current thread should impersonate another user - or in this case even
> the same user, but a different primary group (e.g. see
> https://github.com/kofemann/ms-nfs41-client/blob/master/sys/nfs41_driver.c#L1367).
>
> Do you have any idea what is going wrong in this case ?
Not sure about that. I'm not familiar with driver development under
Windows. I'd expect that you get the token of the calling thread or, in
this case, process as is.
However, did you try this with a primary group SID being part of the
token's supplementary group list, or did you try this with some
arbitrary group SID?
I toyed around a bit with this in user space, and it seems I
misinterpreted the results when I added the newgrp(1) tool. The primary
group in the token *must* be member of the token's supplementary group
list.
The fact that it looks like it works in Cygwin to set the pgrp to
an arbitrary SID is apparently based on incorrect error handling.
I will fix this in the next couple of days.
Corinna
next prev parent reply other threads:[~2024-02-23 15:47 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-22 17:38 Roland Mainz
2024-02-22 19:11 ` Corinna Vinschen
2024-02-23 13:03 ` Roland Mainz
2024-02-23 15:47 ` Corinna Vinschen [this message]
2024-02-23 18:45 ` Roland Mainz
2024-02-23 21:15 ` Dan Shelton
2024-02-24 13:11 ` Corinna Vinschen
2024-03-05 22:38 ` Dan Shelton
2024-03-06 13:01 ` Corinna Vinschen
2024-03-09 21:26 ` Glenn Strauss
2024-03-11 1:30 ` Dan Shelton
2024-03-11 3:49 ` Brian Inglis
2024-03-11 16:54 ` Corinna Vinschen
2024-03-11 1:28 ` Dan Shelton
2024-03-11 16:56 ` Corinna Vinschen
2024-04-19 23:44 ` Dan Shelton
2024-04-26 9:04 ` Andrey Repin
2024-02-24 16:57 ` Brian Inglis
2024-02-24 12:53 ` Corinna Vinschen
2024-02-24 14:38 ` Will all SIDs fit into |SECURITY_MAX_SID_SIZE| bytes ? / was: " Roland Mainz
2024-02-24 18:57 ` Corinna Vinschen
2024-02-25 21:04 ` Roland Mainz
2024-02-25 22:32 ` gs-cygwin.com
2024-02-26 4:17 ` gs-cygwin.com
2024-02-26 16:12 ` [EXTERNAL] " Lavrentiev, Anton (NIH/NLM/NCBI) [C]
2024-02-26 9:20 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zdi-CnGX3CwWA0nl@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).