From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2155) id 45B963858D34; Sat, 24 Feb 2024 12:53:48 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 45B963858D34 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1708779228; bh=cfWBAUdKE/+hdeJqEadSBLAMHH6Yp/X1UIps2e+TeaU=; h=Date:From:To:Subject:Reply-To:References:In-Reply-To:From; b=TYAcguQa5D+wA5Yv0cRcU6a0NlsO/7ozqoYiKYyqScLzff9QEWsUNOuW9jUsVszNr S/a/hAdNz9iL14EoLA8x4Kw+NIxDM1A6mzPVK+Yo2dAinodNPBWRiueOUnYrC3oYcb +LYEyQwDYsPB8TpPGLob+5DOEEjWmysN+39e2tVg= Received: by calimero.vinschen.de (Postfix, from userid 500) id 7F8B4A809E4; Sat, 24 Feb 2024 13:53:46 +0100 (CET) Date: Sat, 24 Feb 2024 13:53:46 +0100 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: Switching groups with newgrp - how to get the new group with |GetTokenInformation()| ? Message-ID: Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: On Feb 23 19:45, Roland Mainz via Cygwin wrote: > On Fri, Feb 23, 2024 at 4:47 PM Corinna Vinschen via Cygwin > wrote: > > On Feb 23 14:03, Roland Mainz via Cygwin wrote: > > > Do you have any idea what is going wrong in this case ? > > > > Not sure about that. I'm not familiar with driver development under > > Windows. > > Me neither, I'm still new to this whole Windows kernel stuff (coming > from SUN&Solaris engineering), but as we need a NFSv4 filesystem > client at work I'm basically forced at knifepoint to learn as fast as > I can... ;-/ > > > I'd expect that you get the token of the calling thread or, in > > this case, process as is. > > I think it's the calling thread which makes the Win32 syscall, then > the MiniRedirector driver (nfs41_driver.sys) gets that security > context, and uses that to set the impersonation stuff when making the > upcall to the userland part (nfsd_debug.exe), so that daemon thread > can impersonate the caller. > > > However, did you try this with a primary group SID being part of the > > token's supplementary group list, or did you try this with some > > arbitrary group SID? > > I tried it like this: > 1. On the Windows machine I created these two new groups: > ---- snip ---- > WINHOST1:~$ net localgroup cygwingrp1 /add > WINHOST1:~$ net localgroup cygwingrp2 /add > WINHOST1:~$ getent group cygwingrp1 > cygwingrp1:S-1-5-21-3286904461-661230000-4220857270-1003:197611: > WINHOST1:~$ getent group cygwingrp2 > cygwingrp2:S-1-5-21-3286904461-661230000-4220857270-1004:197612: > ---- snip ---- > > On the Linux NFSv4 server side I added these groups too, and added > group membership for the matching user: > ---- snip ---- > root@DERFWNB4966:~# groupadd -g 197611 cygwingrp1 > root@DERFWNB4966:~# groupadd -g 197612 cygwingrp2 > root@DERFWNB4966:~# usermod -a -G cygwingrp1 roland_mainz > root@DERFWNB4966:~# usermod -a -G cygwingrp2 roland_mainz > ---- snip ---- > > After that /usr/bin/chgrp on Cygwin works on the NFSv4.1 filesystem, > but if I do a /usr/bin/newgrp+/usr/bin/touch it will not create files > with that new group, because nfsd_debug.exe only sees the default > primary group, not the new primary group set by /usr/bin/newgrp. > > Or is there a mistake - do I have to add the current user to the > Windows localgroup first somehow (like usermod on Linux) ? Yes, there's a mistake, but in some way it's not your fault. You have to make sure that the user calling newgrp is member in the group *and* it has to be in the current user token's TOKEN_GROUP list. The fact that it (looks like it) works on Cygwin does not mean it actually worked on the OS level. See below. > > I toyed around a bit with this in user space, and it seems I > > misinterpreted the results when I added the newgrp(1) tool. The primary > > group in the token *must* be member of the token's supplementary group > > list. > > Like on UNIX, right ? No. On UNIX it depends if you're a privileged process with the CAP_SETGID capability. If so, you can set the pgrp to any arbitrary group without being asked for credentials. If you're non-priv'ed, you can change to any group from the supplementary group list without being asked for credentials, *or* you're asked for credentials (group password). > > The fact that it looks like it works in Cygwin to set the pgrp to > > an arbitrary SID is apparently based on incorrect error handling. > > > > I will fix this in the next couple of days. > > Thanks :-) In fact I can't fix it and here's why: Windows only allows to set the new primary group to a group which is already in the TOKEN_GROUP list of the manipulated user token. Even a privileged account can't do that. Only creating a new token from scratch will do this. However, there's a problem. Consider the OpenSSH server sshd. It switches the user account basically like this: if (setgid(newgid) != 0) ERROR; if (setuid(newuid) !=0) ERROR; Only after the setuid(2) call, Cygwin has full information to create the new token for the process of the user just logging in. So during the setgid(2) call, Cygwin can only operate on the token of the service account running sshd. Now, if setgid(2) would fail if the group is not in the user token of the current effective account, sshd would practically always fail. So what Cygwin does is to fake success in setgid(2) even if switching the pgrp in the token failed. It just stores the information in its internal user account representation. Then, when setuid(2) gets called, it will try to rectify this in the new user's token. That's why setgid(2) always succeeds if the group exists. We just don't have a better way to implement the user account switch. I just pushed a patch which lets newgrp(1) fail if the group is not in the supplementary group list, but that's all I can do without breaking OpenSSH. So, again, what you have to do is to make sure that the account is already in the group you're switching to. For instance: $ id uid=1049577(corinna) gid=1049089(Domain Users) groups=1049089(Domain Users),545(Users),14(REMOTE INTERACTIVE LOGON),4(INTERACTIVE),11(Authenticated Users),15(This Organization),4095(CurrentSession),66048(LOCAL),70145(Authentication authority asserted identity),1049148(Denied RODC Password Replication Group),401408(Medium Mandatory Level) So that works: $ newgrp 'INTERACTIVE' id -gn INTERACTIVE But this will not work anymore with the new newgrp(1) from Cygwin 3.5.1: $ newgrp 'PROXY' id -gn newgrp: can't switch primary group to 'PROXY' while it still (looks like it) works with newgrp(1) from Cygwin 3.5.0, because setgid(2) is faking success. HTH, Corinna