diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2016-03-12 17:56:21 +0100 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2016-03-12 17:56:21 +0100 |
| commit | fc180edcf4231fdfbc73560432bc45e926c08eaa (patch) | |
| tree | fabba57010981fb1484f931a62c981b13d5af0a5 /winsup/cygwin/sec_helper.cc | |
| parent | 018fa93e2b9a78edbe58c9d6a281783aff38e527 (diff) | |
| download | cygnal-fc180edcf4231fdfbc73560432bc45e926c08eaa.tar.gz cygnal-fc180edcf4231fdfbc73560432bc45e926c08eaa.tar.bz2 cygnal-fc180edcf4231fdfbc73560432bc45e926c08eaa.zip | |
Fix reading/writing Samba ACLs using RFC2307 mapping
When using RFC2307 uid/gid-mapping on Samba shares, the POSIX ACL contains
the Windows SIDs. When writing back such an ACL we have to map the
Windows SIDs back to the corresponding Samba SIDs representing the UNIX
uid/gid value. When reading Samba SIDs, make sure never to evaluate a
UNIX user account as group.
* sec_acl.cc (set_posix_access): Convert Windows SIDs to
RFC2307-mapped Sambe UNIX SIDs.
* sec_helper.cc (cygpsid::get_id): Skip UNIX user accounts when
trying to evaluate a SID as group. Skip UNIX group accounts when
trying to evaluate a SID as user.
* cygheap.h (cygheap_ugid_cache::reverse_get): New method to
get nfs id from cygwin id.
(cygheap_ugid_cache::reverse_get_uid): Wrapper for uids.
(cygheap_ugid_cache::reverse_get_gid): Wrapper for gids.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diffstat (limited to 'winsup/cygwin/sec_helper.cc')
| -rw-r--r-- | winsup/cygwin/sec_helper.cc | 32 |
1 files changed, 20 insertions, 12 deletions
diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index e93a9a935..0ad09e062 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -117,21 +117,28 @@ cygpsid::get_id (BOOL search_grp, int *type, cyg_ldap *pldap) id = myself->gid; else if (sid_id_auth (psid) == 22 && cygheap->pg.nss_grp_db ()) { - /* Samba UNIX group. Try to map to Cygwin gid. If there's no + /* Samba UNIX group? Try to map to Cygwin gid. If there's no mapping in the cache, try to fetch it from the configured RFC 2307 domain (see last comment in cygheap_domain_info::init() - for more information) and add it to the mapping cache. */ - gid_t gid = sid_sub_auth_rid (psid); - gid_t map_gid = cygheap->ugid_cache.get_gid (gid); - if (map_gid == ILLEGAL_GID) + for more information) and add it to the mapping cache. + If this is a user, not a group, make sure to skip the subsequent + internal_getgrsid call, otherwise we end up with a fake group + entry for a UNIX user account. */ + if (sid_sub_auth (psid, 0) == 2) { - if (pldap->open (cygheap->dom.get_rfc2307_domain ()) == NO_ERROR) - map_gid = pldap->remap_gid (gid); - if (map_gid == ILLEGAL_GID) - map_gid = MAP_UNIX_TO_CYGWIN_ID (gid); - cygheap->ugid_cache.add_gid (gid, map_gid); + gid_t gid = sid_sub_auth_rid (psid); + gid_t map_gid = cygheap->ugid_cache.get_gid (gid); + if (map_gid == ILLEGAL_GID) + { + if (pldap->open (cygheap->dom.get_rfc2307_domain ()) + == NO_ERROR) + map_gid = pldap->remap_gid (gid); + if (map_gid == ILLEGAL_GID) + map_gid = MAP_UNIX_TO_CYGWIN_ID (gid); + cygheap->ugid_cache.add_gid (gid, map_gid); + } + id = (uid_t) map_gid; } - id = (uid_t) map_gid; } else if ((gr = internal_getgrsid (*this, pldap))) id = gr->gr_gid; @@ -147,7 +154,8 @@ cygpsid::get_id (BOOL search_grp, int *type, cyg_ldap *pldap) struct passwd *pw; if (*this == cygheap->user.sid ()) id = myself->uid; - else if (sid_id_auth (psid) == 22 && cygheap->pg.nss_pwd_db ()) + else if (sid_id_auth (psid) == 22 && sid_sub_auth (psid, 0) == 1 + && cygheap->pg.nss_pwd_db ()) { /* Samba UNIX user. See comment above. */ uid_t uid = sid_sub_auth_rid (psid); |