From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <corinna@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2155)
	id 77B89385841B; Fri, 23 Feb 2024 15:47:24 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 77B89385841B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1708703244;
	bh=JKzgbipX5FSk+FnYcwvlPa5zL1lTAxv/HE7RyAh3VrU=;
	h=Date:From:To:Subject:Reply-To:References:In-Reply-To:From;
	b=FQGFdxqoNNpcQT1I09K1+uowPFB0GFIVWG71+FuSQjgcdPloSBkRUeu+x8VLaQR/i
	 BZ99NbT/mAkK3844AOr6YKs/gkFKHn/yKDTzm9WsFVaat8LBc7jMPZESbckgGjShRz
	 P1FEMDER7IFf9F73Lsy6mmDk9zQc0hQZjfRcNXZU=
Received: by calimero.vinschen.de (Postfix, from userid 500)
	id 86D25A80900; Fri, 23 Feb 2024 16:47:22 +0100 (CET)
Date: Fri, 23 Feb 2024 16:47:22 +0100
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: Switching groups with newgrp - how to get the new group with
 |GetTokenInformation()| ?
Message-ID: <Zdi-CnGX3CwWA0nl@calimero.vinschen.de>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
References: <CAKAoaQnFxij4Np-jg+bOLEpiSziCfamFrJ2FR_JeO+Sv_Td2Kg@mail.gmail.com>
 <ZdecXZNUgQ3i0hYN@calimero.vinschen.de>
 <CAKAoaQ=rCwVHnHAqfd5C3kC45GPE4ZHbbgCWrdM64sojLMuMyA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAKAoaQ=rCwVHnHAqfd5C3kC45GPE4ZHbbgCWrdM64sojLMuMyA@mail.gmail.com>
List-Id: <cygwin.cygwin.com>

On Feb 23 14:03, Roland Mainz via Cygwin wrote:
> On Thu, Feb 22, 2024 at 8:11 PM Corinna Vinschen via Cygwin
> <cygwin@cygwin.com> wrote:
> > On Feb 22 18:38, Roland Mainz via Cygwin wrote:
> > > If I switch the current user's group with /usr/bin/newgrp, how can a
> > > (native) Win32 process use
> > > |GetTokenInformation(GetCurrentThreadToken(), ...)| to find out which
> > > group is the new "current group" (e.g. which |TokenInformationClass|
> > > should I use) ?
> >
> >   PSID sidbuf = (PSID) alloca (SECURITY_MAX_SID_SIZE);
> >   NTSTATUS status;
> >   ULONG size;
> >
> >   status = NtQueryInformationToken (hProcToken, TokenPrimaryGroup,
> >                                     sidbuf, SECURITY_MAX_SID_SIZE,
> >                                     &size);
> 
> Well, it works in the case of an "hello world" application, but if I
> stuff that into the nfsd_daemon (NFSv4.1 ms-nfs41-client client
> daemon) it always prints the default primary group, even if the
> current thread should impersonate another user - or in this case even
> the same user, but a different primary group (e.g. see
> https://github.com/kofemann/ms-nfs41-client/blob/master/sys/nfs41_driver.c#L1367).
> 
> Do you have any idea what is going wrong in this case ?

Not sure about that.  I'm not familiar with driver development under
Windows.  I'd expect that you get the token of the calling thread or, in
this case, process as is.

However, did you try this with a primary group SID being part of the
token's supplementary group list, or did you try this with some
arbitrary group SID?

I toyed around a bit with this in user space, and it seems I
misinterpreted the results when I added the newgrp(1) tool.  The primary
group in the token *must* be member of the token's supplementary group
list.

The fact that it looks like it works in Cygwin to set the pgrp to
an arbitrary SID is apparently based on incorrect error handling.

I will fix this in the next couple of days.


Corinna