On Mon, 18 Nov 2024 17:26:12 +0100
Corinna Vinschen wrote:
> On Nov 16 00:21, Takashi Yano via Cygwin wrote:
> > I built a test program, whose important part is:
> >
> > AUTHZ_RESOURCE_MANAGER_HANDLE hManager = NULL;
> > AUTHZ_CLIENT_CONTEXT_HANDLE hClient = NULL;
> > AUTHZ_ACCESS_REQUEST AccessRequest = {0};
> > AUTHZ_ACCESS_REPLY AccessReply = {0};
> >
> > AUTHZ_RPC_INIT_INFO_CLIENT authzRpcInitInfoClient = {0};
> >
> > WCHAR ObjectUuid[] = L"9a81c2bd-a525-471d-a4ed-49907c0b23da";
> > WCHAR ProtSeq[] = L"ncacn_ip_tcp";
> > WCHAR NetworkAddr[] = L"localhost";
> > WCHAR Endpoint[] = L"135";
> >
> > authzRpcInitInfoClient.version = AUTHZ_INIT_INFO_VERSION_V1;
> > authzRpcInitInfoClient.ObjectUuid = ObjectUuid;
> > authzRpcInitInfoClient.ProtSeq = ProtSeq;
> > authzRpcInitInfoClient.NetworkAddr = NetworkAddr;
> > authzRpcInitInfoClient.Endpoint = Endpoint;
> >
> > AuthzInitializeRemoteResourceManager (&authzRpcInitInfoClient, &hManager);
> >
> > char buf[1024];
> > PTOKEN_USER pTokenUser = (PTOKEN_USER) buf;
> > DWORD len;
> >
> > GetTokenInformation(hToken, TokenUser, pTokenUser, 1024, &len);
> >
> > LUID luid = {0,};
> > AuthzInitializeContextFromSid(0, pTokenUser->User.Sid, hManager,
> > NULL, luid, NULL, &hClient);
> >
> >
> > This test code fails at AuthzInitializeContextFromSid() with
> > RPC_S_UNKNOWN_IF. If AuthzInitializeRemoteResourceManager()
> > is replaced with AuthzInitializeResourceManager(), the error
> > does not occur.
> >
> > I searched the combination of AuthzInitializeContextFromSid()
> > and RPC_S_UNKNOWN_IF, however nothing was found.
>
> RPC_S_UNKNOWN_IF means "unknown interface". I assume this error has
> nothing to do with AuthzInitializeContextFromSid(), but with the
> AuthzInitializeRemoteResourceManager() call.
>
> What I failed, though, is to find a working example for
> AuthzInitializeRemoteResourceManager().
>
> > Any suggestion would be appreciated.
>
> As I said in my previous posting, maybe we don't really need
> AuthzInitializeRemoteResourceManager().
>
> We can safely assume that the current user is already authorized on the
> SMB server. So... shouldn't AuthzInitializeResourceManager be
> sufficient and the code from class authz_ctx already does what we want?
> We may just have to use in in place of calling NtCheckAccess(),
> maybe with a tweak or two...
I already tried AuthzInitializeResourceManager(), but the result
was the same with current implementation...
BTW, I come up with another implementation. This make the things
much simpler. What do you think of the patch attached?
--
Takashi Yano <takashi.y...@nifty.ne.jp>
diff --git a/winsup/cygwin/sec/base.cc b/winsup/cygwin/sec/base.cc
index d5e39d281..c460fecc4 100644
--- a/winsup/cygwin/sec/base.cc
+++ b/winsup/cygwin/sec/base.cc
@@ -28,10 +28,6 @@ details. */
| GROUP_SECURITY_INFORMATION \
| OWNER_SECURITY_INFORMATION)
-static GENERIC_MAPPING NO_COPY_RO file_mapping = { FILE_GENERIC_READ,
- FILE_GENERIC_WRITE,
- FILE_GENERIC_EXECUTE,
- FILE_ALL_ACCESS };
LONG
get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd,
bool justcreated)
@@ -608,95 +604,6 @@ check_access (security_descriptor &sd, GENERIC_MAPPING
&mapping,
return ret;
}
-/* Samba override. Check security descriptor for Samba UNIX user and group
- accounts and check if we have an RFC 2307 mapping to a Windows account.
- Create a new security descriptor with all of the UNIX accounts with
- valid mapping replaced with their Windows counterpart. */
-static void
-convert_samba_sd (security_descriptor &sd_ret)
-{
- NTSTATUS status;
- BOOLEAN dummy;
- PSID sid;
- cygsid owner;
- cygsid group;
- SECURITY_DESCRIPTOR sd;
- cyg_ldap cldap;
- tmp_pathbuf tp;
- PACL acl, oacl;
- size_t acl_len;
- PACCESS_ALLOWED_ACE ace;
-
- if (!NT_SUCCESS (RtlGetOwnerSecurityDescriptor (sd_ret, &sid, &dummy)))
- return;
- owner = sid;
- if (!NT_SUCCESS (RtlGetGroupSecurityDescriptor (sd_ret, &sid, &dummy)))
- return;
- group = sid;
-
- if (sid_id_auth (owner) == 22)
- {
- struct passwd *pwd;
- uid_t uid = owner.get_uid (&cldap);
- if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
- owner.getfrompw (pwd);
- }
- if (sid_id_auth (group) == 22)
- {
- struct group *grp;
- gid_t gid = group.get_gid (&cldap);
- if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
- group.getfromgr (grp);
- }
-
- if (!NT_SUCCESS (RtlGetDaclSecurityDescriptor (sd_ret, &dummy,
- &oacl, &dummy)))
- return;
- acl = (PACL) tp.w_get ();
- RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);
- acl_len = sizeof (ACL);
-
- for (DWORD i = 0; i < oacl->AceCount; ++i)
- if (NT_SUCCESS (RtlGetAce (oacl, i, (PVOID *) &ace)))
- {
- cygsid ace_sid ((PSID) &ace->SidStart);
- if (sid_id_auth (ace_sid) == 22)
- {
- if (sid_sub_auth (ace_sid, 0) == 1) /* user */
- {
- struct passwd *pwd;
- uid_t uid = ace_sid.get_uid (&cldap);
- if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
- ace_sid.getfrompw (pwd);
- }
- else if (sid_sub_auth (ace_sid, 0) == 2) /* group */
- {
- struct group *grp;
- gid_t gid = ace_sid.get_gid (&cldap);
- if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
- ace_sid.getfromgr (grp);
- }
- }
- if (!add_access_allowed_ace (acl, ace->Mask, ace_sid, acl_len,
- ace->Header.AceFlags))
- return;
- }
- acl->AclSize = acl_len;
-
- RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
- RtlSetControlSecurityDescriptor (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
- RtlSetOwnerSecurityDescriptor (&sd, owner, FALSE);
- RtlSetGroupSecurityDescriptor (&sd, group, FALSE);
-
- status = RtlSetDaclSecurityDescriptor (&sd, TRUE, acl, FALSE);
- if (!NT_SUCCESS (status))
- return;
- DWORD sd_size = 0;
- status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
- if (sd_size > 0 && sd_ret.malloc (sd_size))
- RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
-}
-
int
check_file_access (path_conv &pc, int flags, bool effective)
{
@@ -711,10 +618,14 @@ check_file_access (path_conv &pc, int flags, bool
effective)
desired |= FILE_EXECUTE;
if (!get_file_sd (pc.handle (), pc, sd, false))
{
- /* Tweak Samba security descriptor as necessary. */
- if (pc.fs_is_samba ())
- convert_samba_sd (sd);
- ret = check_access (sd, file_mapping, desired, flags, effective);
+ HANDLE h = CreateFileW (pc.get_nt_native_path ()->Buffer, desired,
+ 0, NULL, OPEN_EXISTING,
+ FILE_FLAG_BACKUP_SEMANTICS, NULL);
+ if (h != INVALID_HANDLE_VALUE)
+ {
+ CloseHandle (h);
+ ret = 0;
+ }
}
debug_printf ("flags %y, ret %d", flags, ret);
return ret;
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
